With Postfix I of course have options to choose the order of checks. For now I did not permanently choose any tool that limits that too much. I think I'll try to pick and make the tools fit my policy.
So if I understand the comments more or less right, this is a good order, for the policy it executes, that takes account for the expensiveness of the checks? check multiple DNSBLs with postscreen, reject immediately if total score is high enough check simple headers with postscreen mumble restrictions, reject immediately if fails check SPF with policy filter, reject immediately if it fails check mime headers with proxy filter, reject immediately if it fails check for Virus with milter, reject immediately if it fails check DKIM with milter, reject immediately if it fails check DMARC milter, reject immediately if it fails All of this is for inbound prequeue. Only next do I pass the message to postqueue content filters for Spamassassin scores, and make other non-reject decisions.
