Here is the order that is used to check emails by MailSecurity.

1. Decompression Engine
2. Virus Scanning Engines
3. Trojan Scanner
4. Email Exploit Detector
5. Html Script Removal
6. Attachment Checking
7. Content Checking

1. Blacklist / Whitelist Module
   Check if the Mime From is in the Whitelist Check if the Mime To is in the Whitelist Check if the Mime From is in the AutoWhitelist Check if the Mime From is in the BlackList Check if the Mime To is in the BlackList
2. Bayesian Filter Module (available in MailEssentials 9 and higher)
3. Header Checking Module
   Check if the Mime From is empty Check that the Character Set used in the message is allowed Check for numbers in the Mime From email address Check if the subject contains the first part of the email message (the part before the @ sign) Check if the email is addressed to more then the specified amount of recipients Check if the Mime From is a malformed email address Check if the email contains any remote images and less then 512 characters Check if the ip addresses found in the message header is on the DNS Black List Verify that sender domain is valid by performing a DNS lookup on the domain part of the Mime From email address.
4. Keyword Checking Module
   Subject keyword scanning Text body keyword scanning HTML body keyword scanning

1. This processing order cannot be changed.
2. The Virus Scanning Engines, the Attachment Checking Rules and the Content Checking rules can have their priority changed
3. When a MailSecurity plug-in quarantines an item and the item is approved by the administrator, the rest of the plug-ins will process the item. This could result in having the same item quarantined multiple times.

1. All the above options can be enabled or disabled from the MailEssentials configuration -> Anti-Spam node.
2. Scanning stops as soon as a check flags the email as spam. That is, if (e.g.) “Check if the Mime From is empty” check flags an email as spam the rest of the checks are not performed on the email.