While not contradicting Bill's advice, welcomelist_from_rcvd will probably help.
In addition, you need to have a plan for spf/dkim/dmarc for your domain, and if you really want to have a dkim policy (which is fine) then you can configure dkim on the internal servers. Or perhaps to put them in a subdomain which is not covered by the dmarc assertions. Or perhaps authenticated submission to the server where they get dkim signed, just like user-generated mail. I view shortcircuit as a way to skip work/queries, not so much as a way to change the outcome. Basically if a message hits welcomelist, I don't want to query RBLs. You can also increase (decrease) ALL_TRUSTED to -20, basically saying that in addition to believing that the machines will not forge headers, believing that they are well-managed enough to never emit spam.
