What is inbound filtering and how is it configured?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Every email that lands in your mailbox has already run a gauntlet. Before you ever see it, your email provider has checked where it came from, whether it's pretending to be someone it's not, and whether it's carrying anything nasty. That's inbound filtering at work.

Inbound filtering is the system that scans incoming email before it reaches your mailbox and decides what to do with it. Deliver it, send it to spam, quarantine it for review, or block it outright. The goal is keeping phishing attempts, malware, and spam away from your users without accidentally swallowing legitimate mail in the process.

Most filtering systems work in layers, roughly in this order:

  • Connection-level checks. The first thing a receiving server looks at is who's knocking. It checks the sending IP's reputation, applies rate limits, and runs basic blocklist lookups before accepting any message content at all.
  • Authentication checks. This is where SPF, DKIM, and DMARC come in. If a message fails these checks, the filter already has a reason to be suspicious.
  • Content scanning. The message body, subject line, links, and attachments all get scored. Spam scoring engines (some rule-based, some machine learning) compare the message against known patterns. Attachment scanners look for malware signatures.
  • User-level rules. Individual allowlists and blocklists, folder rules, and personal preferences. These override the system-level decisions for specific senders or domains.

Most organizations don't configure this from scratch. Google Workspace and Microsoft 365 both ship with their own inbound filtering already running. The configuration work is mostly about tuning the defaults to fit your situation.

But the main thing to tune is the trade-off between protection and false positives (legitimate mail getting blocked or quarantined). Tighter filtering catches more threats but risks burying real emails. Looser filtering lets more through, including some spam. Here's how to approach it:

  • Start with quarantine, not rejection. When you're unsure about a message, put it in quarantine rather than bouncing it. That way you can review misses without losing mail permanently.
  • Build your allowlist proactively. Add trusted senders and domains that your users rely on. Transactional mail from your own tools (billing systems, CRMs, support platforms) is a common false positive victim if not explicitly allowed.
  • Adjust sensitivity thresholds by domain or group. Your finance team getting stricter filtering than a general inbox makes sense. Most enterprise platforms let you set this per organizational unit.
  • Monitor quarantine regularly. A quarantine that nobody reviews is a black hole. Set a schedule or assign someone to check it.
  • Use threat intelligence feeds. Services like Spamhaus publish real-time lists of known bad actors. Most enterprise filtering tools integrate with these automatically.

One thing worth knowing: inbound filtering and outbound filtering serve completely different purposes. Inbound protects your users from outside threats. Outbound protects your domain's reputation from sending things it shouldn't. They often run on the same platform, but the logic and goals are separate.

If legitimate mail from a specific sender keeps getting caught, the fastest fix is an allowlist entry for that sender or their sending domain. If a category of email keeps getting flagged (say, newsletter-style mail from a vendor you trust), adjusting the content scoring threshold for that sender class is usually more surgical than lowering your overall sensitivity.

Not sure whether your own outbound mail is passing through other companies' inbound filters cleanly? Our free Email Header Analyzer can show you how a message was handled end-to-end, which is a good starting point for diagnosing why something landed in the wrong place.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Get a ranked tuning plan for your inbound filter

I'm trying to configure inbound filtering for my organization and I want to reduce false positives without opening the door to spam and phishing. Based on my setup, give me a ranked list of tuning actions to try. My details: Email platform Google Workspace / Microsoft 365 / other, most common false positive type transactional mail / newsletters / vendor emails / other, current filter stance default / strict / loose, team size number of users.

Edit the yellow boxes, then send to the AI of your choice.