What Is Spam Email? Types, Risks and How to Avoid It
What is spam email? It is any unsolicited message sent in bulk to recipients who never asked for it. Spam accounts for roughly 45% of all email traffic worldwide, according to Statista's 2025 figures, and Gmail alone blocks around 15 billion unwanted messages every day. Most of that volume never reaches an inbox. But the fraction that does still wastes time, carries security risks, and quietly damages the reputation of legitimate senders who get caught in the crossfire.
If you send marketing or transactional email for a living, spam is not just a nuisance in your own inbox. It is the benchmark your campaigns are measured against. Every filter, every complaint button and every blocklist exists because of spam, and understanding how the system works is the first step to making sure your messages land where they belong: in the primary inbox, not the junk folder.
This guide covers what spam email actually is, where it came from, the common types, how spam filters decide what to block, what the "report spam" button really does to a sender's reputation, and how to keep your own campaigns on the right side of every filter.
What is spam email?
Spam email, also called junk email or UCE (Unsolicited Commercial Email), is any electronic message that meets two conditions at the same time: it was not requested by the recipient, and it was sent in bulk to a large number of addresses. A single unwanted message from someone you know is annoying, but it is not spam in the technical sense. Spam is about scale: the same message pushed to hundreds, thousands or millions of recipients who never opted in.
The distinction matters because legitimate email marketing is not spam. When a customer fills in a signup form on your website and ticks the consent box, the campaign you send next week is a requested message to an opted-in contact. That is permission-based email, and it sits on the opposite end of the spectrum from spam. The opt-in and permission-based email guide covers the consent mechanics in detail; this article focuses on what happens when consent is absent.
Spam serves many purposes. The majority is commercial advertising for products and services the recipient never expressed interest in. A smaller but more dangerous share carries phishing links, malware payloads or fraud schemes. And a persistent slice exists purely to harvest data: open-tracking pixels that confirm a live address, or reply-to traps that feed the address back into another list.
A short history of spam email
The first known spam email was sent on 3 May 1978 by Gary Thuerk, a marketing manager at Digital Equipment Corporation (DEC). Thuerk used ARPANET (Advanced Research Projects Agency Network), the precursor to the modern internet, to send a single product-launch invitation to roughly 400 users. The message broke ARPANET's acceptable-use policy and drew immediate complaints, but it also generated an estimated $13 million in sales for DEC. Thuerk has been called the "father of spam" ever since.
The practice stayed relatively niche until the early 1990s, when a US (United States) immigration law firm mass-mailed a Green Card services advertisement across every Usenet newsgroup it could reach. That incident is widely regarded as the birth of modern spam, and it triggered the first serious public debate about unsolicited bulk messaging on open networks.
By the early 2000s, spam had exploded. At its peak it accounted for over 90% of all email traffic globally. Governments responded with legislation: the US passed the CAN-SPAM Act (the federal anti-spam law) in 2003, the UK (United Kingdom) adopted PECR (Privacy and Electronic Communications Regulations) the same year, and the EU (European Union) followed with updates that eventually fed into the GDPR (General Data Protection Regulation) framework. These laws did not eliminate spam, but they gave regulators and ISPs (Internet Service Providers) the legal backing to penalise senders and the technical mandate to build better filters.
The filters caught up. SpamAssassin launched in 2001, Gmail introduced its filtering engine in 2004, and by the mid-2010s the percentage of spam reaching inboxes had fallen sharply even as the absolute volume kept rising. Today, the spam problem is largely invisible to the average recipient, but for anyone who sends email at scale, the filtering infrastructure built to fight spam is the single biggest factor determining whether a message reaches the inbox or disappears into junk.
Common types of spam email
Spam emails arrive with different intentions, and each type carries a different level of risk.
| Type | Purpose | How to recognise it | Risk level |
|---|---|---|---|
| Unsolicited advertising | Sell a product or service | Unknown sender, exaggerated claims, no unsubscribe link | Low to moderate |
| Phishing | Steal credentials or financial data | Impersonates a bank, retailer or government body; urgent language; fake URL | High |
| Fake campaign / prize scam | Extract clicks or personal data | "Congratulations, you won!", offers that are too good to be true | High |
| Malware attachment | Install a virus, trojan or ransomware | Unexpected attachment, unusual file format (.exe, .scr, .zip from unknown sender) | Very high |
| Invoice / delivery fraud | Trick recipient into paying | Unexpected invoice, fake parcel-tracking notification | High |
| Chain letter | Spread and harvest addresses | "Forward this to 10 people" format | Low |
| BEC (Business Email Compromise) | Trick employee into a wire transfer | Impersonates a CEO (Chief Executive Officer) or supplier, requests urgent payment or data | Very high |
Phishing deserves a longer note because it does more damage per message than any other category. A well-crafted phishing email mirrors the branding, tone and layout of a trusted organisation so closely that even experienced users pause before deciding whether it is real. The tell-tales are in the details: a sender address one character off from the genuine domain, a URL (Uniform Resource Locator) that resolves to a different host when you hover over it, and language designed to create urgency ("Your account will be suspended in 24 hours").
BEC (Business Email Compromise) is a targeted variant of phishing. Instead of casting a wide net, the attacker researches a specific company, impersonates a senior executive or a supplier, and sends a single carefully worded email to the person who controls payments. BEC losses globally exceeded $2.9 billion in 2023, according to the FBI (Federal Bureau of Investigation) Internet Crime Report. It is one of the reasons email authentication matters far beyond the spam folder: a properly configured SPF, DKIM and DMARC setup makes it substantially harder for an attacker to forge your domain.
How spam filters work
Every major mailbox provider runs its own filtering engine, but the underlying principles trace back to SpamAssassin, an open-source platform created by Justin Mason in 2001 and adopted by the Apache Software Foundation in 2004. SpamAssassin introduced the scoring model that the rest of the industry now uses in one form or another: each incoming message is tested against dozens of rules, each rule adds or subtracts points, and if the total score crosses a threshold the message is flagged as spam.
The five categories that matter most:
1. Subject line analysis. All-caps text, excessive exclamation marks, misleading subjects and classic trigger phrases ("act now", "free", "guaranteed") all add points to the spam score. Modern filters also look for subject lines that contradict the body content.
2. Sender authentication. The filter checks whether the sending domain has valid SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting and Conformance) records, and whether those records align with the message headers. Missing or broken authentication is one of the strongest spam signals there is, which is why the SPF, DKIM and DMARC guide is essential reading for any sender.
3. Content analysis. The filter scans the body for known spam patterns: high image-to-text ratio, hidden text, suspicious links, URL shorteners that mask the real destination, and keyword clusters associated with fraud. It also checks whether the HTML (HyperText Markup Language) is well-formed or full of rendering hacks designed to evade earlier filters.
4. Blocklist lookup. The sending IP (Internet Protocol) address and domain are checked against public and private blocklists (sometimes still called blacklists). Spamhaus, Barracuda and SURBL (Spam URI Realtime Blocklist) are among the most widely referenced. A single blocklist entry can cause an entire campaign to be rejected before the content is even evaluated.
5. Header and technical checks. The filter inspects the email header structure for anomalies: mismatched From and Return-Path domains, missing Message-ID, broken MIME (Multipurpose Internet Mail Extensions) boundaries and other deviations from RFC (Request for Comments) standards. A clean header is a trust signal; a messy one is a red flag.
Gmail, Outlook and Yahoo layer machine-learning models on top of these rule-based checks, incorporating recipient behaviour signals (opens, clicks, replies, spam reports, moves to primary) to tune filtering decisions in real time. The net effect is that a message your subscribers engage with is treated more favourably than an identical message sent to an unengaged segment, which is one of the strongest arguments for keeping your list clean through regular email verification.
What the "report spam" button really does to senders
Every email client has a "Report spam" or "Mark as junk" button. Most recipients think it is just a personal preference: "I do not want this email, move it to junk." In reality, clicking that button triggers a chain of events that directly affects the sender's ability to reach anyone's inbox.
Step 1. The message moves to the spam folder.
Step 2. The mailbox provider logs a negative signal against the sender's IP address and domain.
Step 3. The provider's filtering algorithm updates. Future messages from the same sender are more likely to be routed to spam for other recipients, even those who never complained.
Step 4. If complaints accumulate past a threshold, the sender's reputation degrades to the point where messages are rejected outright with a 550 error code, not just filtered to spam but blocked at the gate.
Google and Yahoo's sender requirements set the complaint-rate ceiling at 0.3%. On a 10,000-address campaign, that means 30 spam reports are enough to cross the line. Cross it repeatedly and the consequences escalate from spam-folder routing to permanent rejection. The Google, Yahoo and Microsoft sender-rules guide covers the full enforcement timeline.
This is why the distinction between unsubscribe and report spam matters enormously for senders. An unsubscribe is a normal subscriber action. It removes one person from the list and has zero impact on sender reputation. A spam report is a public accusation that the sender is mailing people who did not ask for it, and the provider treats it accordingly.
The practical takeaway: make the unsubscribe link visible, easy to find and one-click. If a recipient who wants to leave cannot find the unsubscribe option, the next best alternative in their mind is the spam button, and that alternative costs you far more than a lost subscriber.
How to avoid the spam folder as a sender
This section is not about protecting your inbox from spam. It is about protecting your campaigns from being treated as spam. If you send marketing or transactional email, these are the controls that keep your messages in the primary inbox.
1. Send only to opted-in contacts. This is the foundation. Double opt-in is the strongest form of consent because the subscriber has confirmed the address and the intent. Purchased, scraped or rented lists carry spam-trap risk, complaint risk and, in the UK, a direct breach of PECR and UK GDPR. No amount of technical optimisation compensates for a list built without permission.
2. Authenticate your domain. Configure SPF, DKIM and DMARC before you send anything. Authentication tells every filter in the chain that your messages come from a verified source. A missing SPF record or a broken DKIM signature can land a perfectly legitimate campaign in junk even if the content is clean and the list is opted-in. The Return-Path configuration is part of this stack: it ensures SPF alignment so that DMARC passes on both the SPF and DKIM sides.
3. Test before you send. Tools like mail-tester.com run your email through a SpamAssassin-based scoring engine and return a detailed report: which rules fired, how many points each one added, and what to fix. A two-minute test before every campaign is cheaper than a week of degraded deliverability after one.
4. Clean your list regularly. Invalid addresses produce hard bounces, and hard bounces tell mailbox providers that the list is unmaintained. Keep the bounce rate below 2% by running periodic email verification passes and suppressing addresses that consistently soft-bounce. A clean list also reduces the chance of hitting a spam trap, because traps overwhelmingly live on lists that have not been cleaned in months.
5. Watch your content signals. Avoid all-caps subject lines, excessive exclamation marks and classic trigger phrases. Keep the image-to-text ratio balanced. Use a recognisable sender name and a consistent From address. None of these rules is absolute on its own, but together they determine whether the spam score stays below the threshold or tips over it.
6. Send on a consistent schedule. A sender that mails once a month and then fires three campaigns in a single day looks suspicious to filtering algorithms. Consistent cadence builds a predictable sending pattern that filters learn to trust. If you need to increase volume, ramp up gradually over several sends rather than jumping from low to high overnight.
Frequently asked questions
What does spam email mean?
Spam email is any unsolicited message sent in bulk to recipients who did not ask for it. The word "spam" originally comes from a Monty Python sketch in which every item on a restaurant menu contained SPAM (the Hormel canned meat product), making it impossible to avoid. The name stuck because unsolicited bulk email behaves the same way: it fills your inbox whether you want it or not.
Should I worry about spam emails?
Most spam is filtered before it reaches your inbox, but the messages that get through can carry real risks. Phishing emails steal credentials. Malware attachments infect devices. Invoice fraud costs businesses money. The safest approach is to never click links or open attachments in messages from unknown senders, and to use the "report spam" button rather than replying or clicking unsubscribe in emails you do not trust.
What is an example of a spam email?
A common example is an email from an unknown sender claiming you have won a prize or a gift card, asking you to click a link and enter personal details to claim it. Other examples include unsolicited product advertisements, fake parcel-delivery notifications from courier brands you have not used, and emails impersonating your bank asking you to "verify" your account by entering your password on a fake login page.
How do I stop spam emails?
Mark unwanted messages as spam in your email client to train the filter. Never reply to spam, because a reply confirms your address is active. Unsubscribe only from senders you recognise and trust. Be cautious about where you share your email address online. If you manage your own domain, configure SPF, DKIM and DMARC to reduce the chance of your address being spoofed.
Is sending spam email illegal in the UK?
Yes. PECR (Privacy and Electronic Communications Regulations) 2003 makes it illegal to send unsolicited marketing email to individuals without their prior consent. The ICO (Information Commissioner's Office) can fine organisations up to £500,000 for serious breaches. UK GDPR adds a further layer: personal data used for direct marketing must be processed lawfully, and sending to people who never opted in fails the lawfulness test.
What is the difference between spam and phishing?
Spam is a volume play: unsolicited messages sent to as many addresses as possible, usually for advertising. Phishing is a targeted attack: messages designed to trick a specific person or group into revealing credentials, financial data or access. All phishing is spam (unsolicited and unwanted), but most spam is not phishing (it tries to sell, not steal). Phishing is substantially more dangerous because a single successful attack can compromise an entire organisation.
What is a spam trap and why does it matter?
A spam trap is an email address that mailbox providers and anti-spam organisations use to catch senders with poor list practices. Pristine traps were never real addresses; they are seeded on the web to catch scrapers and list buyers. Recycled traps were once real mailboxes that were abandoned and later repurposed. Hitting either type is a strong negative signal that can land a sender on a blocklist. Regular email verification is the most effective way to catch traps before they cause damage.
Originally published: Apr 13, 2026
Professional email marketing platform.
Don't miss out
Get the latest email marketing tips and exclusive updates.