Hi, I have a number of rules that checks for the existence of legitimate docusign links and general weirdness (like the lack of a legitimate To address or to undisc-recips), but it doesn't work for this legitimate docusign email:
https://pastebin.com/tZthJnb2 Somehow it's sending to hel...@gmail.com when the real recip is 04...@example.com (it was forwarded for some reason), and the envelope-from is also gmail - I'm assuming it was routed through gmail for some reason. Why? Is the lack of a proper To header even a reliable spam indicator anymore for this? This is just a mailing list email, not a document that needs to be signed, but why would docusign make it more difficult to ensure the delivery of their email? Is it enough to allow this to pass based on the received header? Received: from mail06.esign.docusign.com (mail06.esign.docusign.com. [204.92.114.62]) Other ideas? I've already added a number of docusign addresses to the welcomelist: $ grep docusign whitelist.cf whitelist_auth *@esign.docusign.com whitelist_auth dse_...@docusign.net whitelist_auth docus...@esign.docusign.com whitelist_auth d...@docusign.net whitelist_auth dse_...@docusign.net whitelist_auth dse_...@docusign.net whitelist_auth d...@eumail.docusign.net whitelist_auth casesta...@docusign.com whitelist_auth nore...@docusign.com whitelist_auth collecti...@docusign.com
