Spam filtering and mail authentication used to mean buying a separate appliance, configuring a third-party gateway, or accepting whatever bare-minimum protection came with your control panel. Panelica ships all of this out of the box -- no add-ons, no extra cost, no third-party dependencies.
Here is what is active the moment you enable the mail stack.
SpamAssassin with Bayesian Learning
Every incoming message is scored by SpamAssassin against hundreds of rules -- header analysis, content patterns, DNS-based checks, and more. What makes it improve over time is the Bayesian engine: a daily cron job feeds messages from each user's Junk and Sent folders back into the filter. The more mail flows through the system, the more accurate the scoring becomes. No manual training required.
Local DNSBL Resolver
Blocklist lookups (Spamhaus, Spamcop, Barracuda, and others) run through the server's own localhost BIND resolver rather than hitting public DNS servers on every query. This means faster lookups, no rate-limiting from external resolvers, and no privacy leakage of your mail traffic to third-party DNS infrastructure.
Inbound DMARC Validation (OpenDMARC)
The OpenDMARC milter sits between Postfix and delivery. It checks whether each incoming message's SPF and DKIM alignment matches the sender domain's published DMARC policy -- and acts accordingly (accept, quarantine, or reject). This is the layer that stops spoofed mail from reaching inboxes.
Postscreen with Conservative Spamhaus RBL (opt-in, off by default)
Postscreen runs before the SMTP handshake completes. It checks the connecting IP against real-time blocklists and drops botnet/zombie senders before they ever deliver a message. Because aggressive RBL settings can occasionally catch legitimate senders, this layer ships off by default. Panelica uses a conservative threshold to minimize false positives. You enable it when you are confident your mail patterns can handle it.
Outbound DANE with DNSSEC TLSA (opt-in)
When you send mail to a domain that publishes DANE records, DANE ensures that the TLS certificate on the receiving end is exactly what DNSSEC says it should be -- making man-in-the-middle and TLS downgrade attacks ineffective. This requires your sending domain to be DNSSEC-signed. Like Postscreen, it is opt-in: you enable it when your infrastructure is ready.
MTA-STS
MTA-STS publishes a policy that tells other mail senders: only deliver to this server over TLS, no exceptions. Senders that support MTA-STS refuse to deliver mail if they cannot establish a verified TLS connection, eliminating downgrade attacks from the inbound side.
Sieve-Based Junk Routing
Messages flagged as spam are automatically delivered to the user's Junk folder rather than the inbox. This is the standard behavior users expect from any professional mail setup, and it is wired in automatically via Sieve.
Honest Status Badges
The panel interface shows actual runtime state, not assumed state. If a protection layer is configured but not running, the badge reflects that. You always know what is genuinely active on the server.
All controls are in Email > Protection. Basic anti-spam layers (SpamAssassin, local DNSBL, Sieve routing, MTA-STS) are active when the mail stack is enabled. Advanced layers -- DMARC enforcement, Postscreen, and DANE -- are opt-in toggles you control individually.
- Go to Email > Protection in the panel.
- The basic protections are already enabled -- verify the status badges show active.
- To enable DMARC validation, toggle DMARC Enforcement on. Make sure your domain has a valid DMARC DNS record first.
- To enable Postscreen, toggle Postscreen (RBL) on. Monitor your mail logs after enabling it to confirm no legitimate senders are being blocked.
- To enable DANE, toggle DANE (DNSSEC TLSA) on. This only takes effect if your domain's DNS is DNSSEC-signed.
For a full walkthrough of DNS prerequisites and the recommended enable order, see the step-by-step how-to thread in the Email and Mail Server section of this forum.
The Panelica Team