You already have a spam filter. Here’s why it’s not working

IYour inbox has had a spam filter since the day you opened it. 

Gmail, Outlook, Apple Mail—they all come with one switched on by default. Your phone does too. 

So why is junk still getting through?

Usually, it’s not the filter. It’s how you’re using it.

And in this article, we’ll show you how to do it right.

In short
Every major email provider and mobile OS includes a spam filter by default, and you don’t have to do anything extra.Spam filters learn to recognize spam from your behavior—mainly from what you report as spam. If you only delete emails, without reporting them as spam, filters receive no data to learn from. Likewise, if you report emails that aren’t spam as spam—such as newsletters you’ve subscribed to—you’re decreasing the filters’ accuracy.For personal use, built-in filters are enough if trained adequately; businesses may need a third-party layer on top.

Your filter is already running

You don’t need to install third-party spam filters. 

Gmail, Outlook, and most major email clients have spam filters enabled by default, sitting quietly in the background of every email you receive.

Your phone is the same. 

Android hasCaller ID & Spam Protection built into the Phone app—this is what intercepts calls flagged as “spam risk” before they reach you. 

iPhones let yousilence unknown callers and filter unknown message senders straight from Settings. 

These features exist—most people just never check whether they’re on.

The problem isn’t that the filter is missing. It’s that it’s working with almost no information about what you consider spam.

What the filter is actually doing

Every email that lands in your inbox has already passed through a stack of automated checkpoints. Here’s what’s happening behind the scenes.

1) Content and heuristic analysis 

The filter reads the message—subject line, body, and links—and looks for red flags. Trigger phrases like “You’ve won!”, excessive capitalization, and suspicious URLs all push the spam score up. 

This is the fast first pass.

2) Bayesian filtering 

This is the learning layer. 

Spam filters use statistical machine learning to classify messages based on patterns found in emails you’ve already marked as “spam” or “not spam.” 

The more you interact with it—correctly—the sharper it gets.Gmail’s filters learn directly from user actions. 

Most people tend to delete spam emails right away, effectively starving this system of data.

3) Blocklist checks 

Incoming mail is cross-referenced against DNS-based blackhole lists (DNSBLs)—databases of known spammer IP addresses and domains. If the sender’s address is on the list, it’s flagged before anyone reads a word.

4) Authentication checks (SPF, DKIM, DMARC) 

Every email carries information about where it came from. Gmail checks that information against three protocols—SPF, DKIM, and DMARC—to verify the sender is actually who they claim to be.

Here’s what each one does:

• SPF (Sender Policy Framework) is like a guest list. The domain owner publishes a list of servers that are allowed to send email on their behalf. If the email arrives from a server that’s not on that list, it fails the check.
• DKIM (DomainKeys Identified Mail) is like a wax seal. The sending server stamps the email with a unique digital signature before it leaves. Gmail checks that seal on arrival—if the message was altered in transit, the seal is broken.
• DMARC (Domain-based Message Authentication, Reporting & Conformance) is the policy that ties both together. It tells Gmail what to do if SPF or DKIM fails: let it through, quarantine it, or reject it outright.

If an email claims to be from your bank but fails these checks, it’s almost certainly a spoofing attempt—and Gmail will treat it accordingly.

Each email gets an aggregate spam score. Cross the threshold—it’s gone to Junk. Stay below it—it reaches you. The threshold is adjustable, which matters more than most people realize.

If you’ve already clicked on something suspicious, here’s what to do if you accidentally opened a spam email.

Why spam is still getting through

Here’s where most guides lose the thread. They explain how filters work but never tell you what you’re doing wrong.

1) You’re deleting, not reporting

This is the single most common mistake. 

→ Deleting spam removes it from your view. 

→ Reporting it as spam sends a signal to the filter—”this pattern is bad, learn from it.” 

Simply deleting spam fails to train the Bayesian/machine learning algorithm. The filter has no idea you were unhappy with that message. It will let similar ones through tomorrow.

The same works in reverse: if a legitimate email lands in Junk, click “not spam.” That trains the filter too.

Note: Every time you hit “delete” on spam instead of “report spam,” you’re teaching your filter nothing. One extra click is the difference between a filter that improves and one that stays mediocre forever.

It’s a bit of extra work but it’s worth the effort.

2) You’re reporting graymail as spam

“Graymail” is an email you actually subscribed to—a newsletter, a brand you bought from once, a mailing list you joined and forgot. 

It’s not malicious, but it’s cluttering your inbox, so you might be tempted to hit “report spam.”

That’s a mistake. 

Using “report spam” on a legitimate sender poisons your filter’s accuracy—you’re training it to treat real senders as threats. 

Use “unsubscribe” for graymail. Save “report spam” for the actual junk: phishing attempts, unsolicited commercial email, and anything you never opted in to.

3) You got hit by a data breach

If you woke up one morning to hundreds of spam emails when you normally get five, your address was probably exposed—sold by a data broker or leaked in a breach. 

No spam filter is going to stop a flood of new senders you’ve never seen before. The filter catches patterns it knows. A fresh batch of attackers with fresh addresses is a different problem—one the filter can’t solve alone.

How to actually train your filter

Now that we’ve got a bit of the theory, let’s move into the practical part and see how you can train your filters.

Gmail

Gmail’s filter is already on. Your job is to use it correctly.

• Hit “report spam” (not “delete”) on spam emails 
• Hit “not spam” when something legitimate lands in Spam
• For persistent senders that keep slipping through: “settings” → “filters and blocked addresses” → “create a new filter.”

Outlook

Outlook’s Junk Email Filter has four protection levels—and it defaults to “low,” which catches only the most obvious junk.

• Go to “home” → “block” → “junk email options” and consider bumping it to “high”
• Add trusted senders to the Safe Senders List to prevent false positives
• Add persistent spammers to Blocked Senders.

Android

• Open the Phone app → “settings” → “caller ID & spam” → turn it on

For calls that still slip through, a dedicated call blocker gives you an extra layer.

• In Google Messages: open a conversation → “more” → “report spam.”

For a deeper look: how to stop spam texts on Android & iPhone.

iPhone

• Silence Unknown Callers: “settings” → “phone” → “silence unknown callers”
• Filter unknown messages: “settings” → “messages” → “filter unknown senders.”

Silence Unknown Callers cuts down on spam calls and robocalls significantly—but it’s off by default.

For more on filtering spam on Apple Mail specifically, see how to stop spam emails on iPhone.

When built-in isn’t enough

For personal use, properly trained built-in filters handle the vast majority of spam. You don’t need a third-party app.

For businesses, the calculus shifts. 

Built-in Microsoft 365 and Google Workspace filters are reactive by design—they catch threats already documented on blocklists. Advanced phishing campaigns, ransomware payloads, and zero-day attacks arrive before the blocklists know about them.

Third-party email gateways sit upstream—between the internet and your mail server—and add a second sieve. They’re not a luxury for enterprise; at scale, they’re standard practice.

A few worth knowing:

SpamTitan—best for small and mid-sized businesses. It claims to catch 99.97–99.99% of spam messages, runs two antivirus engines at once, and works with Microsoft 365.

Mimecast—built for larger organizations. One standout feature: it rechecks links at the moment you click them, not just when the email arrives. That matters because a safe-looking link can turn malicious after delivery. They claim an extremely low false-positive rate—but that’s a self-reported number, so take it with a grain of salt.

SpamHero—charges per domain rather than per user, which can save bigger teams a lot of money. Rule-based filtering with protection against brand-new threats.

MX Guarddog—cloud-based, no installation needed, and there’s a free trial available. A solid, low-effort option for small operations that just want a basic extra layer of protection.

MailWasher—runs on your desktop and lets you preview and delete emails before they even download to your device. Best for individuals or small business owners who want to stay in control manually.

But there’s one thing this comparison won’t tell you:

None of these tools fix the root cause of a spam flood

If your email address is circulating in data broker databases—bought and sold without your knowledge—new spam will keep arriving from senders these filters have never seen. 

A gateway catches what it recognizes. It can’t stop what it hasn’t been trained on yet.

Solution? Act preventively, not reactively.

Consider subscribing to a data removal service that takes care of your data circulating where it’s not supposed to. 

With Incogni, for example, you get coverage of over 420 data brokers out of the box. All automated, with no input from your end required.

If they can’t find you, they can’t harm you.

---

---

FAQ