type.inbound
and sender.email.domain.root_domain == 'dropbox.com'
and not headers.auth_summary.dmarc.pass
// mitigates situations where an ESG misconfiguration could cause auth failures
and not strings.ends_with(headers.message_id, ".dropbox.com>")
Playground
Test against your own EMLs or sample data.