type.inbound
and any($org_vips,
strings.contains(sender.email.local_part, ".")
and strings.starts_with(.email, sender.email.local_part)
and (
sender.email.email != .email
or (
sender.email.email == .email and not headers.auth_summary.dmarc.pass
)
)
)
and (
// ignore personal <> work emails
// where the sender and mailbox's display name are the same
length(recipients.to) > 0
or length(recipients.cc) > 0
or sender.display_name != mailbox.display_name
)
// bounce-back negations
and not strings.like(sender.email.local_part,
"*postmaster*",
"*mailer-daemon*",
"*administrator*"
)
// negate org domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $org_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $org_domains
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
// sender profile
and (
not profile.by_sender_email().solicited
or not profile.by_sender_email().any_messages_benign
or (
profile.by_sender_email().any_messages_malicious_or_spam
and not profile.by_sender_email().any_messages_benign
)
or (
sender.email.domain.domain in $org_domains
and not coalesce(headers.auth_summary.dmarc.pass, false)
)
)
Playground
Test against your own EMLs or sample data.