I have been using SpamHero for a while now with very good results but I was still getting a substantial amount of spam which bypassed my MX records and was sent directly to the IP address of my mail server. Since I use a popular cPanel hosting reseller account instead of hosting my own mail server there was little I could directly do to prevent this type of spam. Filters helped some but not enough.

After careful consideration and thought I was able to come up with what I consider to be a completely effective solution to this problem. It's a bit complex, I admit, but it works very very well. SInce implementing this solution a few weeks ago I have only received a total of (count 'em) three spam messages on my entire domain and all its domain aliases! And the three messages that I did get were ones that SpamHero itself missed.

Here are the steps I took to achieve this happy state of affairs:

• Configure SpamHero as instructed in the online documentation. Pay close attention to any special requirements outlined therein for your specific hosting and/or mail server setup. Make certain that the only MX records you have defined are those recommended by SpamHero itself.
• Allow some time to verify that your SpamHero setup is functioning properly and delivering email to your email accounts and aliases as expected.
• Make sure that either the catch-all feature is enabled or that you have manually defined all email recipients used on your domain(s) in the SpamHero control panel. Again, verify proper functionality before proceeding further. 
• For each actual email account on your domain go into your hosting company's control panel and create a corresponding new account. For instance, if the email account is named george@mydomain.com create a new account named george.filtered@mydomain.com. Do not define these new accounts as valid addresses within SpamHero. This will prevent any mail sent directly to these accounts from reaching your new inbox(es).
• Set up these new email accounts within your customary email client. For the login address use the complete name of the new account (i.e.: george.filtered@mydomain.com), but make certain you use the original email address when specifying the account email address. You need to be using an email client that supports this ability. Most (but not all) do indeed support it. Do not at this time delete the original email account.
• Next, log into SpamHero and go into the “Settings” section. Next, select the “email recipients” option, then click the "edit" link, after hovering your mouse over an email address. You will need to modify the setting for each address. As in the previous example you want the address george@mydomain.com to be forwarded to george.filtered@mydomain.com. This will change the “Envelope-To:” email header for each email message received and thus redirect it to the new account(s) you created in step #5. Again, make certain that you do not include your new email account(s) as an acceptable SpamHero alias. You do not want any messages sent directly to george.filtered@mydomain to actually be received in your email client. By setting things up in this manner you insure that the only way an email message can reach this new email account is via the new forward/redirected alias that you have just modified within SpamHero.

• If you are using cPanel hosting you will need to add one additional alias named cpanel. This will allow you to receive any automatically-created cPanel administrative messages to your address. Setup this alias with special forwarding as described in the previous step. Use whatever valid email account you like. The creator of this document uses the address admin.filtered@mydomain.com.
• After you have completed these steps you might want to wait a day or two to ensure that all mail is directed to the new email account you created in step #5 and not to the original email account.
• If you are using IMAP rather than POP for retrieving mail you will need to migrate any stored messaged from the old account(s) to the new account(s). In most email clients you can simply drag the email folders from the old to the new account(s). If you have a large amount of mail, a slow Internet connection or your mail host is slow this might take some time. Make certain that you have allowed enough time for this process and that all email messages exist in the new account(s) before deleting the original folders in the old account(s).
• You must now delete the original email accounts from both your email client(s) and within your hosting firm's control panel.
• The next steps assume that you are using a hosting firm that uses the popular cPanel software. These steps can also be modified slightly for other types of hosting accounts. The important thing here is to close all the gaps which might possibly allow any email messages to reach your inbox(es) from any source other than directly from SpamHero itself.
• Next, log into your cPanel or other control panel. You absolutely must remove any “catch-all” forwards or default addresses. If you're using cPanel go into the “Mail” settings and double click on the “Default Address” icon. Make certain that no default address is set for any domains utilizing SpamHero. You either need to return a bounced message to the sender or else use the advanced settings to deliver un-routed mail to “:blackhole”. Even though cPanel suggests the former, I personally recommend the second option. You're being a better Internet citizen that way by not generating a lot of spurious Internet traffic that just ends up getting automatically rejected by spammers anyway.
• Also, under the cPanel or other control panel you should go into the “Forwarders” Section and carefully remove all email address forwards (domain forwards are needed if you have defined domain aliases within SpamHero.) on the domain(s) for which you are using SpamHero. The desired end result is that you have a situation whereby SpamHero (and not your hosting company) controls all address forwarding. This final step closes the final “hole” allowing you to receive any messages sent by any clever spammers who look up your domain's IP address and thus send spam messages directly to your mail servers.
• Now, the only messages that can possibly get through to you come either directly from SpamHero (and are thus filtered) itself or are sent to one of your filtered email accounts (i.e.: to george.filtered@mydomain.com). And since you never give out the filtered address (i.e.: george@mydomain.com) to anyone at any time no one can possibly know that these are the only address on your domain(s) that will directly accept unfiltered mail! Just make certain that your email clients are set up to show your email address as the original address (i.e.: george@mydomain.com). I also highly suggest that you create SPF records for all your domains.