Add exactly one line to your Postfix main.cf:
smtpd_client_restrictions = ..., check_client_access regexp:/etc/postfix/sigaudit
Create /etc/postfix/sigaudit:
/./ BCC:your-unique-inbound-address@inbound.sigaudit.app
Then add this iptables rule to sample 1.5% of mail only:
Allow 1.5% of mail through to SigAudit:
iptables -A OUTPUT -p tcp --dport 25 -d inbound.sigaudit.app -m statistic --mode random --probability 0.015 -j ACCEPT
Drop all remaining mail:
iptables -A OUTPUT -p tcp --dport 25 -d inbound.sigaudit.app -j DROP
✅ Right to Opt Out
Any user may opt out of auditing permanently by adding UNSCAN to their email subject line.