type.inbound
// message is from docusign actual
and sender.email.domain.root_domain == 'docusign.net'
and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
//
// This rule makes use of a beta feature and is subject to change without notice
// using the beta feature in custom rules is not suggested until it has been formally released
//
// reply-to email address has never been sent an email by the org
and not beta.profile.by_reply_to().solicited
// new reply-to
and any(headers.reply_to, network.whois(.email.domain).days_old < 30)
// not a completed DocuSign
and not strings.istarts_with(subject.subject, "Completed:")
Playground
Test against your own EMLs or sample data.