type.inbound
// Legitimate DocSend sending infratructure
and sender.email.email == "no-reply@docsend.com"
and headers.auth_summary.spf.pass
and headers.auth_summary.dmarc.pass
// the message needs to have a reply-to address
and length(headers.reply_to) > 0
// reply-to email address has never received an email from your org
and not any(headers.reply_to, .email.email in $recipient_emails)
// new reply-to
and any(headers.reply_to, network.whois(.email.domain).days_old < 30)
Playground
Test against your own EMLs or sample data.