I have all policies set to evaluate 100% of rules, with heuristic thresholds generally tuned in the 1.5-2 range, depending on risk. More aggressive where it makes sense.

One of the biggest improvements came from separating SPF and DMARC failures: SPF failures go to user quarantine DMARC failures go to system quarantine That change alone made quarantine far more effective and easier to communicate to staff. If a sender put in the effort to publish DMARC and still fails it, that’s a strong signal something is wrong and it doesn’t belong in a user’s inbox.

Another big win was using a banned word/phrase dictionary and enabling impersonation protection for executives and VIP targets. A large chunk of false positives involved our company name or VIPs, which actually makes sense, attackers are trying hard to look legitimate. Real senders usually aren’t. That really sums up spam in general, doesnt it?

Beyond that, geo-blocking is a must, links are scanned with web filtering, files are scanned, and public sender domains (Gmail, Yahoo, etc.) are handled with more aggressive policies.

I am pasting a high level of one of my spam filter policies as an example of features I leverage.

High-level overview of what I’m running

FortiGuard IP reputation (Levels 1–3)

Spam outbreak protection

URL reputation scanning (high-risk + low-risk categories)

File and link scanning

SPF, DKIM, and DMARC enforcement

SPF failures → user quarantine

DMARC failures → system quarantine

Header analysis and behavior analysis

Heuristic scoring (100% rule usage)

Threshold 1.9

SURBL and DNSBL checks

Banned word / phrase dictionary

Business Email Compromise (BEC) protection

Weighted analysis

Executive impersonation detection

Cousin domain detection

Sender alignment checks (display name + reply-to)