> > blocklist_from *@gmail.com > welcomelist_auth *@gmail.com > > makes it perfect :) > > if both dkim and spf is pass, it will get neutral scores >
I found this to be not sufficient (assuming the above pass is ~all). gmail has spf ~all. So I have made an exception for the google network in milter and everything from the gmail / google that would fail an -all spf I reject. There is only a few legitimate domains that will be targetted by this, but asking them to correctly setup spf is mostly enough.
