Email Spam Filtering on cPanel: SpamAssassin, RBLs and Quarantine Step‑by‑Step

If you manage email on a cPanel hosting account, you already know how quickly spam can get out of control. Sales teams miss real leads buried under junk, support inboxes fill up with fake tickets, and business owners lose confidence in their own domain because every other message is noise. The good news: cPanel ships with powerful tools to fight spam, but most people only flip a single switch and hope for the best. As a hosting team at dchost.com, we spend a lot of time tuning email environments for real customers, and we see the same pattern: once SpamAssassin, RBL blocklists, and quarantine are configured properly, spam drops sharply without losing important messages. In this guide, we will walk through how spam filtering actually works on cPanel, how to tune SpamAssassin, how to integrate RBLs, and how to manage quarantine step‑by‑step so your users keep control of their inbox instead of the other way around.

How Spam Filtering Works on cPanel (Big Picture)

Before touching any settings, it helps to understand what is happening to each email that reaches your cPanel server. At a high level, three layers decide whether a message lands in the inbox, spam folder, or gets rejected:

• Connection‑level checks – The mail server (Exim on cPanel) checks the sender IP, DNS, and RBLs (real‑time blacklists) before even accepting the message.
• Content‑level scoring (SpamAssassin) – If the message is accepted, SpamAssassin analyses headers and content and assigns a numerical spam score.
• Filtering & quarantine – cPanel then uses your rules (Spam Box, auto‑delete, custom filters) to decide what happens with high‑scoring emails.

Think of it as an airport checkpoint. RBLs are like the first identity check at the door, SpamAssassin is the full screening, and your filters decide who goes to a special waiting room (quarantine) or gets turned away. When we configure hosting environments at dchost.com, we always aim for a layered approach instead of a single aggressive setting that silently discards email. That layered design is what we will build in the rest of this article.

Enabling and Tuning SpamAssassin in cPanel

SpamAssassin is cPanel’s built‑in spam scanner. It runs a large set of rules on every inbound email: checking for suspicious phrases, known scam patterns, malformed headers, and signals from spam databases. Each rule adds or subtracts points, resulting in a spam score. Higher score = more likely spam.

Step 1: Open the Spam Filters Interface

1. Log in to your cPanel account.
2. Scroll down to the Email section.
3. Click Spam Filters (on some themes it may be labelled “Spam Filters” or “Apache SpamAssassin”).

If SpamAssassin is disabled, you will see a button such as Process New Emails and Mark them as Spam. Turn this on so that incoming mail is scanned and tagged.

Step 2: Choose a Sensible Spam Threshold Score

On the Spam Filters page, you will see a setting similar to Spam Threshold Score (often defaulted to 5). This is the minimum score at which an email is considered spam.

• Score 5 (default) – Good balance for most small businesses; catches typical spam but rarely blocks normal one‑to‑one email.
• Score 3–4 (stricter) – Useful for very spammy domains, but may send some real newsletters or marketing emails to spam.
• Score 6–8 (looser) – Safer for critical inboxes where losing a single email is unacceptable, but more spam will get through.

From our experience hosting email for clients, a score of 4 or 5 is a solid starting point. You can always adjust later if users complain that too much or too little is marked as spam.

Step 3: Enable Spam Box (Quarantine) Instead of Auto‑Delete

Below the threshold score, you will see two key options:

• Move New Spam to a Separate Folder (Spam Box)
• Automatically Delete New Spam (Auto‑Delete)

Our strong recommendation is:

• Enable Spam Box so spam goes into a folder (usually named “Spam” or “Junk”) per mailbox.
• Do NOT enable Auto‑Delete, at least not until you are confident your thresholds are safe.

Spam Box gives you a real quarantine. Users can open the Spam folder from their mail client or webmail and rescue any false positives. Auto‑delete is like shredding every suspicious letter before you see it; great when perfectly tuned, dangerous when it is not.

Step 4: Configure Whitelists and Blacklists

Still in the Spam Filters interface, look for:

• Additional Configurations (For Advanced Users) or similar toggle.
• Options like Whitelist (Emails Always Allowed) and Blacklist (Emails Always Blocked).

Use these carefully:

• Whitelist important senders that are being incorrectly sent to spam (e.g. a key supplier or ticketing system).
• Blacklist persistent spammers or domains you never want to hear from.

You can add entries as full addresses ([email protected]) or entire domains (@example.com). Avoid over‑whitelisting (e.g. whitelisting large webmail providers), because that bypasses all checks even if an account there is compromised.

Using RBL Blocklists (DNSBL) for Stronger Filtering

SpamAssassin looks mostly at the content and structure of email. But one of the most powerful signals lives at the connection layer: the IP address of the sending server. This is where RBLs (Real‑time Block Lists), also known as DNSBLs, come in.

An RBL is essentially a crowdsourced (but curated) list of IPs known to send spam or behave maliciously. When a remote mail server tries to deliver an email to your cPanel server, Exim can query several RBLs. If the sender IP is listed, your server can:

• Reject the email at connection time (never reaches SpamAssassin).
• Accept it but add points to the SpamAssassin score.

RBLs on Shared Hosting vs VPS/Dedicated

If you are on shared hosting at dchost.com, the RBL configuration is handled centrally at the server level. We maintain a conservative, production‑ready RBL set that balances spam blocking with low false‑positive rates. You do not need to configure anything in your own cPanel account for RBLs to work.

If you manage a VPS, dedicated server, or colocated server with root access (for example, using WHM on a cPanel server), you can fine‑tune or extend RBL usage.

Step‑by‑Step: Enabling RBLs in WHM (for VPS/Dedicated)

For server owners with WHM access:

1. Log in to WHM as root.
2. Go to Exim Configuration Manager.
3. Open the Basic Editor tab.
4. Find the section RBLs or RBL: Real‑time Blackhole Lists.
5. Enable recommended RBLs (e.g. well‑known providers with low false positives).
6. Save and rebuild Exim configuration.

In the Advanced Editor, you can also:

• Control whether a match causes an immediate reject or just adds a header.
• Feed RBL results into SpamAssassin by adding custom headers that contribute to the spam score.

When designing these setups for our VPS customers, we often pair RBL checks with strong authentication (SPF, DKIM, DMARC, and correct rDNS) so that our own servers stay off blocklists too. If you want to go deeper on that side, our article a friendly, step‑by‑step guide to SPF, DKIM, DMARC and rDNS is a good companion read.

What If Your Own IP Gets Listed?

RBLs cut both ways: they protect you from spam, but they can also block your outbound email if your IP gets listed. This can happen due to malware on a site, a compromised mailbox, or an overly aggressive marketing blast.

If you suspect your server IP is on a blocklist, we have a detailed recovery playbook in our guide to email sender reputation recovery and blocklist delisting. The short version: stop the abuse, clean up, then follow each RBL’s removal process calmly with good evidence.

Setting Up Quarantine and Spam Folders the Right Way

Once SpamAssassin and RBLs are in place, the next question is: what happens to emails that cross your spam threshold? This is where quarantine management matters. You want spam out of the inbox, but you also want a safe place to rescue false positives.

How Spam Box Works in cPanel

When you enable Spam Box in the Spam Filters interface:

• cPanel creates a folder named “spam” (or sometimes “Junk”) for each mailbox.
• Emails that exceed the SpamAssassin threshold are delivered to this folder instead of the Inbox.
• The folder lives on the server like any other IMAP folder.

Every user can then connect via IMAP (Outlook, Apple Mail, Thunderbird, mobile mail apps) or webmail (Roundcube, Horde depending on the server) and review their Spam folder.

Subscribing to the Spam Folder in Mail Clients

In some email clients, new folders are not shown automatically. To make sure users see their quarantine:

• Outlook: Right‑click on the email account > IMAP Folders > click Query > subscribe to “Spam” or “Junk”.
• Apple Mail: Mailbox > New Mailbox or Subscribe in account settings, then map the server’s Spam folder.
• Mobile apps: Usually the Spam/Junk folder appears automatically after the first spam email arrives; sometimes you need to tap “Show all folders”.

We recommend explaining to end‑users that this folder is their “quarantine”. They should quickly scan it periodically and drag any legitimate emails back to the Inbox. This helps train some mail clients’ own local filters as well.

Auto‑Cleaning Old Spam from Quarantine

Quarantine only works if it does not grow forever. Large Spam folders consume disk space and slow down backups. You have several options to auto‑clean:

• Use mail client rules – Many clients can automatically delete messages in the Spam folder older than X days.
• Use webmail filters – In Roundcube, you can create filters that move or delete spam older than a threshold.
• Use cPanel's Email Disk Usage – From Email > Email Disk Usage, select the mailbox and run bulk deletions (e.g. all messages in Spam older than a date).

On servers we manage, a typical policy is to keep spam for 7–30 days depending on the business. That is usually enough time for users to notice missing messages while keeping storage clean.

When to Consider Auto‑Delete

Once you have run with Spam Box for a while and feel confident about your thresholds, you can consider enabling Auto‑Delete for very clear‑cut spam. A safer pattern is:

• Keep the main threshold at 4 or 5 and send those to Spam Box.
• Use custom filters (see next section) to automatically delete messages with a very high score (e.g. 10+).

That way, only the worst, most obviously malicious messages are discarded immediately, while borderline cases still land in quarantine.

Custom Filters for Edge Cases and Advanced Control

SpamAssassin and RBLs do most of the heavy lifting, but sometimes you need extra rules: a particular subject line pattern, a country‑specific campaign, or internal routing based on keywords. cPanel gives you two main tools:

• Email Filters – Per‑mailbox rules.
• Global Email Filters – Rules applied to all addresses on the domain.

Step‑by‑Step: Creating a Per‑Account Email Filter

1. In cPanel, go to Email > Email Filters.
2. Click Manage Filters next to the mailbox you want.
3. Click Create a New Filter.
4. Give it a descriptive name (e.g. “High score hard delete”).
5. Under Rules, select what to match (e.g. “Spam Bar” or “Spam Score”).
6. Under Actions, choose what to do (e.g. “Discard Message” or “Redirect to email” for quarantine).
7. Click Create.

One popular pattern is:

• Rule: Spam Score “is above” 10.
• Action: Discard Message.

This catches only emails that SpamAssassin considers extremely suspicious, reducing the risk of deleting legitimate mail.

Step‑by‑Step: Creating Global Email Filters

For rules that should apply to the entire domain (e.g. block all emails from a malicious domain):

1. In cPanel, go to Email > Global Email Filters.
2. Click Create a New Filter.
3. Set a descriptive name like “Block bad‑domain.example”.
4. Choose a match field (e.g. “From” “contains” @bad-domain.example).
5. Set the action to Discard Message or Redirect to email where you keep a manual review inbox.
6. Save the filter.

Use Global Filters sparingly. They are powerful and can affect every user on the domain. For most user‑specific preferences (like routing newsletters into a folder), stick with per‑account filters.

Testing Filters Before Going Live

Both Email Filters and Global Email Filters include a Filter Test tool. Before enabling an aggressive rule:

• Open the filter you created.
• Paste a sample email's raw message (including headers) into the test box.
• Run the test to see whether the rule triggers.

We often recommend customers grab an example spam email (via “View Source” in the mail client), test their filter, adjust it, and repeat until the rule behaves exactly as expected.

Monitoring, Testing and Avoiding Over‑Blocking

Effective spam filtering is not “set and forget”. It is more like tuning a musical instrument: light checks and small adjustments keep everything in harmony. Here are the habits we see in stable, low‑spam environments.

Check Spam Headers in Delivered Email

For any email that looks like it might have been mis‑classified, inspect the raw headers. Look for lines like:

X-Spam-Status: Yes, score=6.4 required=5.0 tests=...

This tells you:

• Whether SpamAssassin saw it as spam (Yes/No).
• The score it assigned and the required threshold.
• Which tests fired (helpful when debugging why something scored high).

If a legitimate email has a score only slightly above your threshold (e.g. threshold 5, score 5.2), consider either:

• Whitelisting that sender or domain.
• Raising the global threshold slightly (to 6) if many such cases appear.

Review Quarantine Regularly

For business‑critical inboxes (sales, support, billing), we recommend:

• Daily or every‑other‑day quick scan of the Spam folder.
• A simple internal rule: “If you cannot find an email, check Spam before contacting IT.”

When we onboard new customers to our hosting platform, we usually run a few weeks with a slightly looser threshold and Spam Box enabled, gather feedback, and then tighten gradually as users build confidence.

Watch Your Own Deliverability Too

Inbound spam filtering is only half the story. Good spam controls on your side go hand‑in‑hand with not being seen as a spammer by other servers. If you send email from IPv6 addresses, for example, there are extra details (PTR, HELO, SPF, and blocklists) to get right. We covered those in detail in our article Email deliverability over IPv6 with PTR, HELO, SPF and blocklists.

If you use forwarding heavily (e.g. forwarding catch‑all addresses or aliases to external providers), be aware that this can confuse SPF and DMARC and sometimes cause forwarded mail to be treated as spam. When that is part of your setup, our guide on fixing SPF/DMARC issues caused by forwarding with SRS and ARC is worth a read.

Choosing the Right Hosting Setup for Clean Email

Spam filtering quality is not only about settings inside cPanel; it also depends on the underlying hosting model you choose. At dchost.com we see three main patterns:

• Shared hosting with cPanel email – Easy to manage, spam tools pre‑configured, good for small teams that want everything in one place.
• VPS or dedicated server with cPanel/WHM – Full control over RBLs, Exim, and SpamAssassin, ideal for organisations that need custom policies or integrate with external gateways.
• Hybrid setups – Website hosted on a VPS or dedicated server, email offloaded to a specialised platform.

We explored these trade‑offs in detail in our article Email hosting choices explained: self‑hosted, shared hosting, or external suites. The important point for spam filtering is: whichever route you choose, make sure you still have access to SpamAssassin‑style content filtering, RBLs, and some kind of quarantine folder. cPanel gives you all three in one place, which is why many of our customers stick with it even as they scale.

Conclusion: A Practical cPanel Spam Defense Checklist

Modern spam is noisy, persistent and increasingly automated. But with a well‑tuned cPanel environment, you do not have to accept a messy inbox as normal. The combination of SpamAssassin, RBL blocklists, and sensible quarantine management gives you a layered defense that is both effective and forgiving when mistakes happen.

To recap the calm, step‑by‑step approach we use at dchost.com:

• Turn on SpamAssassin and start with a threshold of 4 or 5.
• Enable Spam Box so that suspicious mail goes to a recoverable quarantine folder, not the shredder.
• Use whitelists and blacklists sparingly for clear‑cut cases.
• Leverage RBLs at the server level (managed for you on shared hosting, tunable on VPS/dedicated) to block known bad IPs early.
• Add custom filters only where needed, and test them with real messages.
• Review spam folders regularly and adjust thresholds based on real feedback, not guesses.

If you are planning a new hosting setup, moving to a VPS, or just want a cleaner email environment for your team, our hosting plans at dchost.com are built with these practices in mind. We can help you choose between shared hosting, VPS, dedicated servers or colocation and design spam filtering that matches how your business actually works. When your inbox is calm, everything else in your digital stack is easier to manage.