|  | @@ -12,8 +12,9 @@ SOGO_CONTACT_EXCLUDE {
 | 
	
		
			
				|  |  |    expression = "(-WHITELISTED_FWD_HOST | -g+:policies) & ^SOGO_CONTACT & !DMARC_POLICY_ALLOW";
 | 
	
		
			
				|  |  |  }
 | 
	
		
			
				|  |  |  # Spoofed header from and broken policy (excluding sieve host, rspamd host, whitelisted senders, authenticated senders and forward hosts)
 | 
	
		
			
				|  |  | +# DMARC_POLICY_SOFTFAIL indicates a "none" policy, which we don't want to punish
 | 
	
		
			
				|  |  |  SPOOFED_UNAUTH {
 | 
	
		
			
				|  |  | -  expression = "!MAILCOW_AUTH & !MAILCOW_WHITE & !RSPAMD_HOST & !SIEVE_HOST & MAILCOW_DOMAIN_HEADER_FROM & !WHITELISTED_FWD_HOST & -g+:policies";
 | 
	
		
			
				|  |  | +  expression = "!MAILCOW_AUTH & !MAILCOW_WHITE & !RSPAMD_HOST & !SIEVE_HOST & MAILCOW_DOMAIN_HEADER_FROM & !WHITELISTED_FWD_HOST & -g+:policies & !DMARC_POLICY_SOFTFAIL";
 | 
	
		
			
				|  |  |    score = 50.0;
 | 
	
		
			
				|  |  |  }
 | 
	
		
			
				|  |  |  # Only apply to inbound unauthed and not whitelisted
 |