A SpamAssassin score is a weighted risk score for an email message. It helps explain why a message might be filtered, quarantined, or routed to spam by looking at message content, headers, authentication, links, formatting, and sender signals.
For engineering, QA, growth, and deliverability teams, the score is most useful when it becomes a release check. With MailSlurp you can send the final rendered email to a real inbox, inspect headers, run spam checks, validate SPF/DKIM/DMARC, and repeat the same test before every campaign or transactional email change.
Quick answer: what is a good SpamAssassin score?
A lower SpamAssassin score usually means lower filtering risk.
0.0 to 2.9: low risk for most normal transactional and lifecycle email.3.0 to 4.9: caution zone. Review rule hits, authentication, links, and content before sending broadly.5.0+: many SpamAssassin installations treat this as spam or high risk.8.0+: critical risk. Treat the message as blocked until the root cause is fixed and retested.
Many systems use 5.0 as the default required score, but the actual threshold depends on the receiving server policy. A message with a score of 4.8 can still have deliverability problems, and a message below 5.0 can still land in spam if authentication, reputation, or recipient engagement is poor.
Executive summary
- SpamAssassin adds and subtracts rule weights to produce one final score.
- The most useful output is not just the number. The triggered tests explain what to fix.
- Authentication failures, suspicious links, malformed headers, and risky copy often create avoidable score increases.
- Test the final rendered message, not a draft or partial template.
- Use MailSlurp spam checks, real inboxes, and deliverability tests together so score fixes match real inbox behavior.
How SpamAssassin scoring works
SpamAssassin evaluates each message against a set of rules. Each rule can add points, subtract points, or leave the score unchanged. The final SpamAssassin score is the sum of those rule results.
Common rule families include:
| Rule family | What it checks | Typical fix |
|---|---|---|
| Authentication | SPF, DKIM, DMARC, alignment, return-path consistency | Fix DNS records, signing, and sender alignment |
| Headers | Missing, malformed, or inconsistent message headers | Send through a stable mail service and test the final MIME message |
| Content | Promotional wording, link-heavy copy, image-only emails, suspicious formatting | Rewrite risky sections and balance links with useful text |
| Links | URL shorteners, mismatched link text, suspicious domains, tracking patterns | Use trusted branded links and consistent destinations |
| Attachments | Executables, unusual MIME types, malformed attachments | Remove unsafe attachments or send secure links |
| Reputation | Blocklists, sender history, complaint patterns | Monitor domain health and sending quality over time |
The score is diagnostic. A 6.2 result does not tell you to rewrite the whole message. It tells you to inspect the triggered tests and fix the largest contributors first.
How to read SpamAssassin headers
When SpamAssassin evaluates a message, you may see headers like these:
X-Spam-Status: Yes, score=6.2 required=5.0 tests=DKIM_INVALID,HTML_IMAGE_ONLY_16,SPF_FAIL
X-Spam-Level: ******
X-Spam-Checker-Version: SpamAssassin 4.0.0
Read the header in this order:
score: the score assigned to the message.required: the threshold where that system flags a message.tests: the rule names that explain the score.X-Spam-Level: a visual indicator, usually one*per score point.
The tests list is the remediation map. If the largest hits are authentication rules, fix SPF, DKIM, and DMARC before rewriting copy. If the hits are content rules, test the rendered body, links, image ratio, and subject line.
SpamAssassin score bands and release actions
Use score bands as operational gates:
| Score band | Risk level | Recommended action |
|---|---|---|
0.0 to 2.9 | Low | Keep the message in normal release flow and monitor drift. |
3.0 to 4.9 | Medium | Review the highest-impact rules, retest, and approve only if the message has a clear reason to send. |
5.0 to 7.9 | High | Pause broad release, fix authentication or content issues, and retest in MailSlurp. |
8.0+ | Critical | Treat as a deliverability incident and block rollout until the score and inbox placement are clean. |
For transactional email, be stricter than the default threshold. Password resets, OTPs, magic links, invoices, and account alerts should pass spam checks consistently because a single missed message can block a customer workflow.
What raises a SpamAssassin score?
Most high scores come from several small problems stacking together. Common causes include:
- Missing or failing SPF records.
- Invalid or absent DKIM signatures.
- DMARC alignment failures between the visible From domain and the authenticated sender.
- A return-path domain that does not match the sending model.
- Link text that points to a different domain than the visible URL suggests.
- Too many links relative to useful body copy.
- Image-only email with little accessible text.
- Aggressive subject lines, excessive punctuation, or misleading claims.
- Broken HTML, missing plain-text parts, or malformed MIME boundaries.
- Unusual attachments or attachment metadata.
The fastest fix is usually not "make the email less promotional." Start with the triggered rules, then confirm the root cause in the final message source.
MailSlurp workflow for checking spam score
Use this process when you need a repeatable spam score checker workflow for campaigns, onboarding emails, password resets, OTP messages, and product notifications.
1. Send the final rendered email
Send the production-rendered message to a MailSlurp inbox. Test the exact template, sender, subject, links, variables, and attachments that users will receive.
Useful entry points:
2. Inspect headers and body
Check the received message headers, HTML body, plain-text body, links, and attachments. Confirm the message contains the expected customer-specific values and that no template placeholders leaked into the final email.
3. Run authentication checks
Validate SPF, DKIM, and DMARC before you change copy. Authentication problems can add significant filtering risk even when the email content is normal.
Use these checks together:
4. Compare score and inbox placement
Run the spam score check, then verify real inbox placement with an email deliverability test. A score alone is not enough. Inbox placement, authentication, sender reputation, and message rendering all matter.
5. Retest after every fix
Change one class of issue at a time, then send the message again. Record the score, triggered rules, and inbox outcome for each version.
Example release gate for product teams
Here is a practical gate for transactional emails:
| Check | Pass condition |
|---|---|
| Message received | MailSlurp inbox receives the message within the expected timeout. |
| Spam score | Final score stays below the internal threshold, usually below 3.0 for critical auth emails. |
| Rule hits | No major authentication failures, blocklist hits, or malformed-header warnings. |
| Inbox placement | Deliverability test shows acceptable inbox placement for the target providers. |
| Content assertion | Subject, body, links, OTP, reset link, and dynamic variables match expected values. |
| Regression coverage | The same check runs in CI before template or sender changes ship. |
This is where MailSlurp becomes more than a manual checker. You can combine real inbox APIs, webhooks, email parsing, spam checks, and deliverability tests so QA and engineering teams can catch risky changes before customers see them.
How to lower a high SpamAssassin score
Fix authentication first
Authentication failures are concrete and often high impact.
- Confirm the sending IP or service is authorized in SPF.
- Confirm DKIM signing is enabled and the public key matches DNS.
- Confirm DMARC alignment matches the visible From domain.
- Confirm the return-path is expected for the sender.
- Use DMARC monitoring to catch drift after provider or DNS changes.
Clean up the rendered email
Focus on the actual message source.
- Add a plain-text part when sending HTML email.
- Keep the HTML valid and simple.
- Use clear subject lines that match the body.
- Replace vague or misleading link text with descriptive links.
- Avoid URL shorteners in production email.
- Use a healthy ratio of text to images.
- Keep unsubscribe, preference, or support links visible where appropriate.
Validate links and domains
Spam filters look at URLs and domains, not just wording.
- Use branded sending domains.
- Keep link domains consistent with user expectations.
- Avoid redirect chains that hide the destination.
- Check tracking links after personalization is applied.
Test the message class, not just one sample
An invoice, an OTP, a newsletter, and a password reset can have very different risk profiles. Test each message class with realistic data.
For example:
- OTP email with a short code and expiration copy.
- Password reset email with a one-time link.
- Trial onboarding email with product links.
- Billing receipt with attachments.
- Campaign email with images and tracking links.
Spam score vs deliverability test
A spam score checker and a deliverability test answer different questions.
| Test | Best for | What it cannot prove alone |
|---|---|---|
| Spam score check | Finding risky rules, content patterns, and authentication issues | Final inbox placement across providers |
| Deliverability test | Checking inbox, spam folder, and placement behavior | Exact rule-level cause of every score change |
| DMARC/SPF/DKIM checks | Confirming sender authentication health | Body quality, link trust, or recipient engagement |
| MailSlurp inbox test | Confirming the message was sent, received, parsed, and asserted | Long-term sender reputation by itself |
Use the tests together. A low score is strongest when authentication passes, the message renders correctly, and the deliverability test shows healthy placement.
Common mistakes
- Testing a draft instead of the final rendered email.
- Fixing copy before resolving SPF, DKIM, or DMARC failures.
- Treating a score below
5.0as automatically safe. - Ignoring the specific rule names in the SpamAssassin output.
- Testing only the happy path and skipping password reset, OTP, invoice, and campaign variants.
- Changing templates without adding a repeatable MailSlurp inbox and spam-score check.
- Looking only at one mailbox provider when the audience uses several providers.
FAQ
What SpamAssassin score is considered spam?
Many SpamAssassin installations flag a message around 5.0, but the threshold is configurable. Some systems are stricter, especially for unknown senders or risky message classes.
Is a SpamAssassin score under 5 always safe?
No. A score under 5.0 is a useful sign, but inbox placement also depends on sender reputation, provider-specific filtering, authentication alignment, engagement, and message history.
Why did my score change after editing one line?
SpamAssassin evaluates the whole rendered message. A small edit can change link ratio, phrase matching, MIME structure, or rule combinations. Retest the final message after each change.
Should I optimize for a score of zero?
Not usually. A very low score is helpful, but the goal is reliable delivery and accurate message behavior. Focus on passing authentication, avoiding risky patterns, and validating inbox placement.
Can MailSlurp help test SpamAssassin scores in CI?
Yes. MailSlurp supports automated email testing with real inboxes, message inspection, webhooks, and spam-check workflows. Teams can assert that critical messages arrive, parse dynamic values, and stay within score thresholds before release.
Continue testing
Use these MailSlurp workflows together:
- Spam score checker
- Email spam checker
- Email deliverability test
- SpamAssassin spam filter setup
- Email sandbox
- Email integration testing
Final take
A SpamAssassin score is not just a pass/fail number. It is a practical diagnostic tool. When you connect the score to headers, authentication, inbox placement, and repeatable MailSlurp tests, you can fix risky emails before they hurt signups, password resets, OTP delivery, receipts, or campaigns.