@Merle - about Declude and SQL
If I were starting over, I would start with Declude Reboot, since it has supported source code. Declude Reboot can also be used with PostFix on Linux.
Declude allows us to call any executable. Declude calls VBScript, and several of those launch Python scripts in a subprocess (I have had trouble calling Python directly.)
Declude had built-in SPF logic, but it did not work correctly, and it had no DKIM/DMARC support. Declude Reboot has neither. Python has free modules for SPF, DKIM, DNS, IP Address classification, email message parsing, and other stuff that I have found useful. For authentication, I use the Python modules for SPF and DKIM, then apply my own non-standard logic for DMARC because I think slavish obedience to RFC 7489 leads to some really bad results.
SmarterMail calls Declude with two files: The EML file contains the message body, and the HDR file contains the SMTP information and a little extra. Some of my tests only need to look at that file.
The scripts also collect metadata about every message and store it in a SQL database created for that purpose. I actually have two of them. The first attempt runs on a SmarterMail + Declude box that serves as my MX. It discards messages with no valid recipient, evaluates SPF/DKIM/DMARC on every message, checks my SQL database for reputation data, stores evaluation results in the database, and the forwards the message inbound for additional filtering.
The second box is a commercial appliance with an adequate web page for message review and pretty good content filtering. SmarterMail and Declude both lack an adequate tool for this purpose, and I am hoping the MailsBestFriend will solve this by creating one. This box looks at the TESTSFAILED message header set by Declude, and does block, quarantine, or whitelist based on those instructions. It also applies its own logic to block bad content.
The third box is also based on SM+Declude+Python+SQL, but it does not block messages. It does a complex parse of the message for research purposes, with the results being stored in a more complex SQL database structure. It is also used to apply an External Sender warning which is customized to the characteristics of the message being received. (High-trust senders are not flagged at all.)
This third box also defends against Friendly Name impersonation by inserting the From address into the Friendly Name field of some messages (mostly mailbox providers like Gmail and Hotmail). This is necessary because some user interfaces, particularly on cell phones, hide the From address from the user, showing only the Friendly Name, and allowing user deception. I also use the third box to strip the attachment from incoming DMARC Aggregate Report messages. Because these content changes are made after the message has been accepted, they do not interfere with the message scoring process.
After the third box processes the message, it is delivered to the main SmarterMail server, which does no inbound filtering.
All of the code is available for sharing. Just send a private message.