Can I turn off spam protection?
TL;DR No, it's unfortunately not possible to turn off spam protection for your domain or account. Further, our engineers understand the desire for such a feature but we don't have any plans to allow this functionality at this time RE: Why.
What
ImprovMX employs Spam Assassin on the system level to protect users, their domains, and ImprovMX as a whole against spam and the negative reputation associated with it. This measure isn't designed as a full spam protection layer and is instead in place as a minimal filter. Although our implementation isn't quite 1:1 in regard to traditional Apache usage, we've found it to be very effective against low-hanging fruit (the obvious spam).
When emails transit ImprovMX, they run through a series of processes prior to reaching their intended recipient (https://improvmx.com/what-happens-when-we-receive-an-email/). During the DATA, and briefly during the HELO, portion of the connection, we check the reputation of the connecting domain and anonymously run the email through our ImprovMX hosted Spam Assassin instances.
How
Spam Assassin is used during the latter, DATA, phase of email transit. Spam Assassin runs many tests against the email to ensure it's reputable, RFC compliant, and that it doesn't pose any obvious risks to domain and service reputation. Each failing test contributes to the overall spam score on a particular email. On ImprovMX, the email is refused if the cumulative spam score exceeds 5.0. Each failing test is then appended to the corresponding email log entry for the domain. Here's an example of such a failure:
5.7.1 Message considered as SPAM (Score of 7.0/5 with HTML_MESSAGE, MIME_HTML_ONLY, RCVD_IN_DNSWL_BLOCKED, RCVD_IN_MSPIKE_H2, RCVD_IN_PSBL, RCVD_IN_RP_RNBL, SPF_HELO_PASS, SPF_PASS, T_KAM_HTML_FONT_INVALID, URIBL_ABUSE_SURBL, URIBL_BLOCKED)In the above scenario, the sender was rejected primarily because they appear to be listed on many block lists (RCVD_IN_DNSWL_BLOCKED, RCVD_IN_MSPIKE_H2, RCVD_IN_PSBL, RCVD_IN_RP_RNBL). This can be confirmed by running the sender (the FROM on the refused log entry) against the referenced block lists or using a tool such as MXToolbox which is an aggregate block list checker.
*Note that ImprovMX weighs its Spam Assassin tests uniquely. Our scores will differ from a default Spam Assassin installation.
Why
Forwarding services such as ImprovMX are inherently susceptible to the negative reputation imposed by spam mail that transits the service. As forwarders, we effectively become the "sender" of each email forwarded through ImprovMX. Allowing mail that fails Spam Assassin or sender reputation tests to pass through ImprovMX would essentially put the blame and negative reputation of spam mail on ImprovMX as a whole. In turn, this would ultimately lead to the majority of mail forwarding/originating from ImprovMX landing in the spam box of recipients.
In addition to ensuring ImprovMX's reputation isn't marred by spam, these measures also protect user domains in the same way. Prohibiting spam mail from forwarding to/from user domains prevents the domain from receiving any of the negative reputation associated with it. This can often happen unknown to the user as spam mail may be attached during an email thread conversation or a compromised email account.
Privacy
ImprovMX runs Spam Assassin on proprietary servers and instances administered by our engineers. There are no third-parties involved beyond block list checks against sending servers and domains. Therefore, there should be no additional privacy concern as we adhere to the same assurances and privacy-first design measures as we do with the entire ImprovMX system.
Spam Assassin Tests
Spam Assassin has a rather exhaustive list of email tests which can be found here: https://github.com/apache/spamassassin/tree/trunk/rules