Skip to main content
FeaturesPricingFor TeamsEnterpriseDocs
Log in to your account

Card required to begin • Setup in 5 minutes

AdvancedDeliverability

Spam Forensics

Diagnose why email lands in spam with NimbusOS spam forensics -- per-template trigger keyword analysis, ISP-specific spam scoring, and content rewrite recommendations.

9 min read
Updated April 23, 2026
2,000 words

When a campaign underperforms, the question is not always "why are opens low" but often "why are these emails landing in spam". Spam forensics in NimbusOS reads every bounce, complaint, and deliverability signal to identify the specific content, timing, or reputation factors that push mail out of the inbox. This article walks through the forensics data model, the trigger keyword analysis, the per-template and per-campaign reports, and the recommendations workflow.

The SpamForensicReport Model

Every content-triggered bounce or complaint creates or updates a SpamForensicReport. The report aggregates:

  • source (the specific filter that rejected or complained)
  • trigger_keywords (words or phrases correlated with spam flags)
  • spam_score (ISP-reported score, 0-10 scale typical)
  • affected_templates (which templates produced the flagged content)
  • affected_campaigns (which campaigns had high spam scores)
  • recommendations (platform-generated suggestions)
  • snapshot_date

Reports are per workspace and update nightly. The forensics dashboard at /spam-forensics renders them.

Trigger Keyword Analysis

Spam filters use many signals. One signal the platform can read directly is the content: which words and phrases appear in messages that get flagged versus messages that deliver cleanly.

The platform maintains a dynamic trigger keyword list built from two inputs:

Static list. Well-known spam trigger phrases: "act now", "free money", "limited time offer", "click here", "amazing deal", and around 300 more. Static because these are broadly triggering across ISPs.

Dynamic list. Learned from your workspace's own data. Words or phrases that appear significantly more often in flagged emails than in delivered emails. This captures ISP behavior changes and industry-specific triggers.

The report shows the top 20 triggers in your flagged mail, with the number of sends containing each.

Per-Template Analysis

Open the template detail in Spam Forensics. The view shows:

  • Delivery rate to inbox across recent sends
  • Delivery rate to spam
  • Most common trigger keywords in this template
  • Rewrite suggestions that remove or rephrase triggers

Two anti-patterns this view catches frequently.

ALL CAPS in the subject. Even partial caps (like "IMPORTANT: follow up") spike spam scores. The rewrite suggestion shows the identical subject in sentence case.

Too many links in a short body. Three URLs in a 100 word email looks like a spam pattern. The rewrite suggestion consolidates to one CTA link.

Per-Campaign Analysis

At the campaign level, forensics shows:

  • Spam score distribution across sends
  • Inbox placement rate by ISP
  • Top factors contributing to spam scores (content, reputation, authentication, timing)
  • Comparison against similar campaigns in the workspace

The "top factors" view is the one to check first when a campaign is underperforming unexpectedly. It attributes the spam delivery to the most likely cause.

Per-ISP Spam Score

Gmail, Microsoft, and Yahoo each expose a spam score per message when the message lands in spam. The forensics report aggregates these scores.

Reading the aggregation:

  • Gmail spam score 5-7 on a significant portion of sends: the content is mildly triggering Gmail's spam filter. Usually content-related.
  • Microsoft spam score above 7: the reputation signal on the sending IP or domain is low. Usually not content.
  • Yahoo delivering to spam consistently: Yahoo FBL complaints feedback loop; check FBL data.

Recommendations Engine

The recommendations engine reads the report and produces suggestions. Categories:

Content rewrites. Specific phrases to remove or rephrase, with a suggested alternative.

Subject line changes. Length adjustments, casing fixes, emoji removal.

CTA simplification. Removing multiple CTAs, consolidating links.

Template structure. Suggestions like "move the unsubscribe link to the footer" or "add an intro sentence before the pitch".

Reputation interventions. If the spam delivery is reputation-driven (not content), the recommendation is to pause sends from the affected inbox or domain rather than rewrite content.

Each recommendation has an "accept" button that applies the change. Changes are versioned via the template version log, so you can review and revert.

Working Through a Spam Incident

A typical incident flow.

Step 1. Campaign alerts fire: spam complaint rate at 0.15 percent (above threshold). Campaign auto-pauses.

Step 2. Open the Spam Forensics tab. Scroll to recent flags.

Step 3. Read the trigger keyword breakdown. If one phrase is responsible for most flags, the fix is to rewrite that phrase.

Step 4. Read the ISP breakdown. If one ISP is responsible, the fix may be ISP-specific (e.g., removing a URL that is on a Gmail blacklist).

Step 5. Apply the top recommendations. Review the rewrites. Save template.

Step 6. Resume the campaign. Watch the next 100 sends carefully.

Step 7. Document the incident in the campaign notes for the team.

Cross-Campaign Pattern Detection

When multiple campaigns in a workspace share spam patterns, the forensics report flags the shared factor. Examples:

"Templates that include the phrase 'ROI calculator' have 3x higher spam rate than templates without."

"Subjects with emoji see 2x higher spam rate in this workspace."

"Sends from inbox alice@sender-domain-3.com have 5x higher spam rate than the fleet average."

Cross-campaign patterns write to the Growth Brain as signals for cross-workspace learning.

Integration with the Copy Standards Filter

Many of the content issues spam forensics would catch are pre-empted by the Copy Standards filter at template save time. The filter blocks em dashes, banned AI phrases, exclamation points in subjects, and several known trigger patterns.

Forensics is the second line of defense. It catches patterns the static filter did not because those patterns are ISP-specific or industry-specific, not universal.

The Relationship to Reply Intelligence

A spam complaint is classified by reply intelligence as spam with high confidence. The complaint flows into both the reply intelligence log and the spam forensics report.

This gives you two views of the same event. Reply intelligence says "this is a spam complaint". Forensics says "this is a spam complaint and here is why the content triggered it".

Spam Forensics on Warmup Mail

Warmup mail goes through forensics too. If a warmup inbox is producing unusually high spam scores during warmup sends, the inbox is paused and flagged before it progresses to stage 3.

This is a quiet but important protection. A warmup inbox that delivers to partner spam folders produces the opposite of the intended reputation signal.

Spam Trap Detection

Spam traps are email addresses maintained by ISPs to catch senders with bad list hygiene. A send to a spam trap is a severe reputation event.

NimbusOS detects likely spam traps in two ways.

Dormant addresses that suddenly activate. An address that had no prior activity and now bounces with a specific pattern is a likely recycled trap.

Addresses on third-party trap intelligence. The platform maintains a list fed by third-party trap intelligence services; addresses on this list are suppressed globally.

Spam trap hits produce the highest-severity forensics event and pause the responsible campaign immediately.

Troubleshooting

"Spam forensics says zero flags but my open rates are clearly bad"

Spam folder delivery does not always produce a reported flag. Microsoft in particular silently delivers to the Junk folder without a measurable spam score. The forensics view is more reliable on Gmail than on Microsoft.

Check the per-ISP breakdown. If open rates are near zero on Microsoft specifically, the silent spam delivery is likely the cause even without forensics flags.

"Applied the recommendations but the campaign still delivers to spam"

Recommendations address content factors. Reputation factors take longer to rebuild. If authentication is good and content is clean, the residual spam delivery is reputation-based and will recover over days to weeks as the sending fleet reputation rebuilds.

"Flagged on a word that is central to my offer"

Some offers have spam-triggering keywords that are hard to remove (words like "free trial", "discount", "webinar" all carry some risk). Rephrase: "no-obligation access" instead of "free trial", "40 percent savings" as a specific number instead of "discount", "online session" instead of "webinar". Specificity tends to lower spam scores while preserving meaning.

"Recommendations are generic and not relevant to my use case"

The recommendations engine improves with workspace-specific data. In the first weeks of a new workspace, recommendations are generic because there is no internal comparison baseline yet. After 50 to 100 campaigns, recommendations are much more tailored.

Frequently Asked Questions

Can I export a full forensics report for a campaign?

Yes. The Campaign detail has an export option that produces a PDF or CSV with the full forensics analysis, including trigger keywords, per-ISP breakdowns, and recommendations.

Does forensics read content at send time or after bounce?

After. The forensics engine processes bounce and complaint events that carry content back. Sends that never bounced or complained are sampled for ambient analysis.

How often is the trigger keyword list updated?

Static list updates quarterly. Dynamic workspace list updates nightly. Platform-wide dynamic patterns update weekly.

What about HTML email?

HTML templates go through forensics with an additional HTML structure analyzer: checks for heavy nested tables, suspicious script tags, URLs without text anchors, and image-only content. Any of these raises the spam score component.

What to Read Next

Useful next pages after this one: Bounce Intelligence for the sibling bounce-side analysis, Email Templates for the Copy Standards filter that prevents many issues pre-emptively, and ISP Monitoring for how ISP-specific spam scores feed back into monitoring.

Related articles

Deliverability

Deliverability Overview

How NimbusOS measures sending reputation with the Nimbus Deliverability Score (NDS), tracks inbox and domain health, and gates campaigns at the fleet level.

Deliverability

Bounce Intelligence

How NimbusOS classifies every email bounce with ML-driven SMTP code and message pattern analysis, sets retry strategies, and protects sender reputation.

Deliverability

ISP Monitoring

Aggregate Gmail Postmaster, Microsoft SNDS, and Yahoo Feedback Loop signals in one NimbusOS dashboard for per-ISP reputation and deliverability visibility.

Deliverability

SPF, DKIM and DMARC

Email authentication records for cold outreach explained plainly, with NimbusOS automatic provisioning through Cloudflare, validation scoring, and troubleshooting.

Still stuck?

Our team answers every support ticket. If the answer is not in the docs, open a ticket and we will write the missing page.

Contact supportBook a demo