type.inbound
and strings.icontains(body.current_thread.text, "authentisign")
and (
regex.icontains(body.current_thread.text, 'signing (?:name|party)')
or strings.ilike(sender.display_name, '*authentisign*')
or strings.ilevenshtein(sender.display_name, 'authentisign') <= 1
or strings.ilike(sender.email.domain.domain, '*authentisign*')
)
and (
sender.email.domain.root_domain != "authentisign.com"
or (
sender.email.domain.root_domain == "authentisign.com"
and not (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
)
)
Playground
Test against your own EMLs or sample data.