The other thing that should be done for [email protected] is that company.com should sign their mail with DKIM, and then you can
welcomelist_from_dkim *@company.com I find that many companies I deal with that produce semi-spammy mail (most big companies :-) have DKIM signatures and I can welcomelist on that, without welcomelisting forgeries. You can of course use _rcvd for the IP address. DKIM is just nicer if you can get them to do it.
