type.inbound
// allow for multiple google TLDs
and sender.email.domain.sld == "google"
and headers.auth_summary.spf.pass
// g.co url shortner in links or the current thread to identify the workspace name
and (
any(body.links, .href_url.domain.root_domain == 'g.co' and .href_url.domain.subdomain is not null)
or (
strings.icontains(body.current_thread.text, '.g.co')
and regex.icontains(body.current_thread.text, '[^\s]+\.g\.co\b')
)
)
Playground
Test against your own EMLs or sample data.