In general, I'm pretty happy with Zimbra's default SPAM settings. However, I've got one curious issue that I wonder there's actually a solution for (assuming Zimbra itself doesn't use SPF which we've configured on our DNS).
Basically, I've noticed that although all SMTP connections are set to be authenticated, Zimbra will receive emails on port 25 for local accounts, where the sender is also being spoofed as the intended recipient. So if my domain is 'puzzleduser.org' then Zimbra will receive unauthenticated SMTP connections (as I guess it must to receive incoming emails) from 'email@example.com' for 'firstname.lastname@example.org'.
Aside from implementing SPF using the info on the wiki here Improving Anti-spam system - Zimbra :: Wiki is there anything else I need do?