You need to scan incoming email for malware, such as spam and phishing and viruses. It's wrong to scan for viruses first.
That is a cycle-intensive process that requires opening up messages and assessing the contents. Scanning for malware needs to be a layered process, that checks for other things before delving into content. Eg, you should check for suspicious sender IP addresses, and suspiciously formed email headers, first.
There's a wealth of subtle, "out of band" information that can be gleaned at the connection level. The anti-spam filter should be first in a pipeline, and should be outside the organization's firewall, or in the DMZ. Increasingly, integrated email gateway security products are filtering spam and viruses, so this architectural issue is moot.