Below, this is the non-standard Received header that was in the message that caused a UNPARSEABLE_RELAY match. I am splitting it into 2 lines here for readability.
Received: from 946634442539 named unknown by gmailapi.google.com with HTTPREST; Wed, 3 May 2017 11:47:36 -0700 This Received header appears to be the format used in a message sent by an app using oauth to send as a user. If so, legit use is rare. For a short time I had Mimedefang logging matches on the pattern /gmailapi.google.com with HTTPREST/ and saw only a few. The link in the html part started as follows: <a href="https://accounts.google.com/o/oauth2/auth?client_id= I don't have samples of legit mail to compare this to. It strikes me as odd that mail sent using an app (diagnosed from the Received header) would contain a link to allow an app to get an oauth token. If that's a red flag then a meta on these two things will diagnose future attempts. -- Joseph Brennan