I find it very time consuming to consider 1573 TLD when configuring global filters to block an entire TLD. I'm sure someone will flame me for this, but I only ever expect to receive messages from the most common TLD's. Anyone else can ask to have their TLD added to my allow list as far as I am concerned. To achieve this in a single filter I installed postfix-pcre ( apt-get install postfix-pcre ). Edit the main.cf ( /etc/postfix/main.cf ) and configre check_headers to use pcre: instead of regexp:. In ISPConfig I created a header filter with a negative lookahead to ensure the "From" address is coming from an allowed TLD. /.*From:\s.+?<[email protected]+?\.(?!com>|net>|org>|edu>|gov>|mil>)(.+?>)/Altering the filter is as simple as adding or removing ####>| in the negative lookahead e.g.) to add .ca .*From:\s.+?<[email protected]+?\.(?!ca>|com>|net>|org>|edu>|gov>|mil>)(.+?>)I know that the "From" address can be forged, but my assumption is the check_host() function to validate the domain and SPF will reject a forged sender relay to begin with.