Email filters are used to create rules for how incoming emails should be processed. They are mostly used to block emails from a specific email address or to weed out spam.

cPanel has two interfaces for email filters:

  • Global Email Filters lets you create and manage filter rules that apply to all email addresses in your cPanel account.
  • Email Filters is used to create and manage filters for an individual mailbox.

Both interfaces are identical. In this article we only look at managing filters for a single email address, but the same principles apply to global email filters.

The table with email accounts on cPanel's 'Email Filters' page. For each email address there is a link to manage filters.

Image: the ‘Email Filters’ interface shows all email addresses. Click on ‘Manage Filters’ to create or edit filters for an email address.

Creating a filter rule

The Manage Filters link will take you to  a page where you can create a new filter. You can also edit or delete any existing filters and test filters. We will look at testing a filter rule later. First, we should create some filters: click the Create a New Filter button to do so.

The form to create a filter rule has three parts:

Filter name

The Filter Name is the administrative name for the filter. The name can be anything you like and is used purely for you own reference. When you got lots of filter rules it is handy if the filters have names that describe what the filter does.

Rules

The Rules fields define what should be matched. There are two drop-down lists and a text field:

  • The first drop-down list lets you select an email element, such as the From header, subject line or the body of the email.
  • The second drop-down list is used to select an operator, such as “contains”, “equals” or “begins with”.
  • Finally, the text field defines the text that should be matched.

It is possible to create multiple rules by clicking on the Plus button. In general, though, this is not recommended. Simple rules are easier to administer and are processed faster.

Similarly, if you know your regular expressions you may be tempted to use the “matches regex” operator. As a rule of thumb, you should only do this if the standard operators are unworkable for what you are trying to achieve.

Actions

If an email matches a rule some action needs to be taken. You can select an action from the drop-down list. Actions include “discard message”, “fail with message” and “deliver to folder”.

The default action is “discard message”. This option will purge the email, and the sender will not receive a bounce message. Often, “fail with message” is a better option. The email will still be purged, but the sender will receive a bounce message. You can enter a custom bounce message, such as “Your email has not been delivered because it looks like spam”.

Examples

cPanel’s email filters are quite flexible. To give you an idea of what you can do we will give you a few examples. In the process we will talk about some common pitfalls as well.

Blocking senders

The below example shows a filter rule that purges all emails from newsletter@evilcorp.biz.

A filter rule that discards emails from newsletter@evilcorp.biz.

Image: discarding emails from newsletter@evilcorp.biz.

As you can see, the rule is as follows:

Name: Discard Evil Corp (newsletter@evilcorp.biz)
Rule: From contains newsletter@evilcorp.biz
Action: Discard message

If you instead want to block all emails from the domain evilcorp.biz you could change the rule so that it matches @evilcorp.biz:

Name: Discard Evil Corp (@evilcorp.biz)
Rule: From contains @evilcorp.biz
Action: Discard message

If you want you can even block the .biz top-level domain (TLD). In that case you want to use the “ends with” operator to only match strings that end with “.biz”. By only matching the end of the string you make sure you don’t accidentally block emails that have “.biz” elsewhere in the email address. For instance, you don’t want your rule to match “lee.bizkari@example.net“.

Name: Discard .biz
Rule: From ends with .biz
Action: Discard message

With the latter rule there is of course a risk that genuine emails are purged. The .biz domain is widely used by spammers but there are legitimate users as well. Discarding an entire TLD because you are receiving lots of spam emails from certain TLDs is a very crude way of battling spam. We don’t recommend it.

Filtering body content

The below image shows an example of another bad filter rule. We are looking for the string “bitcoin” in the body of the email, and if it is found the email will be purged (without a bounce message). As an aside, the string is case-insensitive: it will also match stings like “Bitcoin” and “bItCoIn”.

A filter rule that discards emails with the string 'bitcoin' in the body. This is a bad rule.

Image: discarding emails containing the string “bitcoin”.

The idea here is to weed out sextortion emails. This is common type of spam / scam email that claims the sender has hacked your computer and used your web cam to make an embarrassing video of you. Typically, these emails demand a payment in Bitcoins. You should always ignore these emails and there is no issue with letting the mail server purge the emails. However, there is an issue with creating a rule that simply purges any email containing the word “bitcoin”.

Why? Well, the string ‘bitcoin’ can appear in a legitimate email. A friend or colleague may make a joke about investing in Bitcoins, for instance.

There are many other word that should not be simply blocked. The most famous example is the string “sex”. Simply blocking that string will also purge emails that contain the strings “Essex”, “Sussex” and “Middlesex”, among many others. This type of unintentional blocking is known as the Scunthorpe problem.

In general, if you want to match words in the body of an email then it is best to use the “Deliver to folder” action. Selecting that option will let you select a folder, such as your Spam folder. That way the emails won’t be purged and don’t appear in your inbox.

A filter rule that delivers emails containing the word "bitcoin" to the "Spam" folder.

Image: delivering bitcoin emails to the “Spam” folder.

Redirecting emails

So far we have looked at blocking emails. That is not the only function of filter rules; you can also use filter rules to for instance deliver emails from certain senders to specific folders.

For the below example we created an email folder named “Unicorns”. The filter delivers all emails from @unicornfactory.ru email accounts to the Unicorns folder.

A filter rule that delivers emails from an @unicornfactory.ru address to the "Unicorn" folder.

Image: delivering unicorn emails to the “Unicorns” folder.

Clashing filters

For this article we have created three filters:

  • We are purging emails from newsletter@evilcorp.biz.
  • Emails with the string “bitcoin” in the body are moved to the “Spam” folder.
  • Emails from @unicornfactory.ru are moved to the “Unicorn” folder.

You can see the rules under Email Filters > your@email.tld > Manage Filters.

Filter rules are processed in order: the first rules is processed first and the last rule is processed last. If you have lots of filter rules you may need to make sure that the order makes sense. For instance, the Unicorns rule should probably come before the bitcoin rule, as an email from an @unicornfactory.ru address containing the string “bitcoin”.

Testing filters

In practice, though, both filter rules will be processed. The Email Filters page has a handy “filter test”. You can use this to check how an email would be routed. In the below screenshot we are testing an email from sales@unicornfactory.ru that has the word “bitcoin” in the body of the email:

Testing an email filter via cPanel's "Filter Test" function.

Image: testing our filters.

In this case the rule is matched twice and the email is delivered twice: to the Spam folder and to the Unicorns folder:

The results of the filter test. The email will be delivered to two different folders.

Image: the result of the filter test.

The output of the test isn’t very pretty and readable. However, it does show that two filters were matched. The most important information are the two “Deliver message to” lines. It shows that the test email would be delivered to both the “spam” and “Unicorn” folders.

This is counter-intuitive but it is how cPanel handles filter rules. In fact, the same happens when the bitcoin rule discards emails containing the string “bitcoin”. Odd as it sounds, the email will first be discarded and then delivered to the “Unicorns” folder. In other words, filter clashing are rare. Still, it is good practice to have a logical order in the filter rules.

Using multiple filter rules

Finally, the last example shows a good use-case for having multiple filter rules. To avoid the clash between the two filters you could have two rules, as shown in the below screenshot:

A filter with two rules. The filter will only be used if both rules are matched.

Image: a filter with two rules.

The filter is only applied if two rules are matched:

Rule 1: Body contains “bitcoin”
Rule 2: From does not contain “@unicornfactory.ru”

In other words, any emails with the word “bitcoin” in the body will be purged, apart from emails sent from an @unicornfactory.ru address. As mentioned before, we recommend keeping rules simple, but if you need to you can create more complex rules.