How can the forwarder be whitelisted when the forwarder doesn't
The forwarder doesn't appear in the MAIL FROM. Only the original
does. So you can't base rejection on MAIL FROM.
You can whitelist the forwarder by IP address or the HELO domain.
It is perfectly reasonable to ask end users who establish forwarding
relationships to whitelist the addresses that forward to them.
It is perfectly absurd to expect end users to know, let alone whitelist,
either the IP address or the HELO domain of the MTAs running at the