I use the friends challenge system on a limited number of accounts.  The user needs to review the quarantine folder at least weekly.  No exceptions or you will miss legit email.

White listing.  One of the largest issues with whitelisting for utilities or credit card statements is the Envelope From may not match the From field.  Whitelisting works on the Envelope From and you will find many times the sender uses a mass mail provider and the Envelope From will have no relationship to the sender address you are trying to whitelist.

Even though I use Friends Challenge, I do not recommend it's use and it's limited to three accounts here.

Lyle Giese
LCR Computer Services, Inc.

What is the best practice for example if you wanted to make sure certain legit domains are never sent challenge emails?

Example: Utilities sending bills or statements,  Amazon/Online senders sending delivery updates, or other automated messages. 

The goal is for them to get through BUT you still want to make sure SPF checks are complete.  In other words I'd like to globally whitelist a domain but only from the legitimate source.  We won't want them to get quarantined or challenged ever. 

Thanks in advance for any advice.