type.inbound
and (
strings.icontains(strings.replace_confusables(sender.display_name),
"squarespace"
)
or strings.ilevenshtein(sender.display_name, "squarespace") < 2
or regex.icontains(sender.display_name,
's\x{206E}+q\x{206E}+u\x{206E}+a\x{206E}+r\x{206E}+e\x{206E}+s\x{206E}+p\x{206E}+a\x{206E}+c\x{206E}+e'
)
)
// and the sender is not in org_domains or from Squarespace domains and passes auth
and not (
sender.email.domain.root_domain in $org_domains
or (
sender.email.domain.root_domain in (
"squarespace.com",
"squarespace.info",
"shipstation.com"
)
and headers.auth_summary.dmarc.pass
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and not (
sender.email.domain.root_domain in $high_trust_sender_root_domains
and coalesce(headers.auth_summary.dmarc.pass, false)
)
Playground
Test against your own EMLs or sample data.