type.inbound
and (
// the address in the footer
(
regex.icontains(body.current_thread.text,
"600 Third Avenue.{1,2}2nd Floor.{1,2}New York, NY"
)
and strings.icontains(body.current_thread.text, "Gemini Trust Company")
)
// logo detect combined with sender display name
// need to be more specific here due to other uses of the word "Gemini"
or (
sender.display_name =~ "Gemini"
and any(ml.logo_detect(file.message_screenshot()).brands,
.name == "Gemini Trust" and .confidence != "low"
)
)
// copyright footer
or strings.icontains(body.current_thread.text,
'© 2025 Gemini Trust Company, LLC'
)
// the social links in the footer
or (
length(filter(body.links,
strings.icontains(.href_url.url,
'https://www.instagram.com/gemini/'
)
or strings.icontains(.href_url.url,
'https://www.linkedin.com/company/geminitrust/'
)
or strings.icontains(.href_url.url,
'https://facebook.com/GeminiTrust'
)
or strings.icontains(.href_url.url,
'https://twitter.com/Gemini'
)
or strings.icontains(.href_url.url,
'https://support.gemini.com/hc/en-us/requests/new'
)
or strings.icontains(.href_url.url,
'https://support.gemini.com/hc/en-us/requests/new'
)
)
) >= 4
)
)
// not forwards/replies
and not (
length(headers.references) > 0
and (subject.is_forward or subject.is_reply)
and length(body.previous_threads) >= 1
)
// not from Gemini actual
and not (
sender.email.domain.root_domain in (
"gemini.com",
"niftygateway.com" // NFT market place owned by Gemini Trust Company
)
and headers.auth_summary.dmarc.pass
)
Playground
Test against your own EMLs or sample data.