Global Manual Whitelist
Once you have set up Spamassassin so it is working and you have run it for some time you may want to tune it to provide automatic whitelists and blacklists.  The whitelist will provide a way to insure that the mail from a particular source will never get rejected.  This may be important clients, users on the system or messages from servers that do not necessarily have the right credentials for sending mail. Your company may have important clients that send email that has characteristics that put it on the edge with Spamassassin and you may want to ensure that you do not loose an email.  Or you may have users who are on the system that do not always follow the best protocol for how they construct messages but you want to make sure that their mail is not rejected.  An important use for whitelists is when you have servers that are sending logs, error messages, or monitoring information to a mail account and this mail does not have the format or the sender format that Spamassassin needs to see.  If you are looking for documentation of this information check out our Postfix Mail Server Manual.

The whitelist will automatically reduce the spam score for a user  which is listed in the whitelist.  The score is reduced by 100 points so that would suggest there is very little chance of the mail being rejected.
The procedure for using a whitelist is straightforward.  Use the directive whitelist_from to list any sources that you want to ensure get whitelisted.
Edit the /etc/mail/spamassassin/local.cf file to place these entries.  Listed is the default contents of this file.

required_hits 5
report_safe 0
rewrite_header Subject [SPAM]

Add your whitelists to the file, save and restart Spamassassin.

whitelist_from tom@example.com
whitelist_from *.@example.com *@goodexample.com
whitelist_from mail.server@myexample.com

When you list a user or source, you will list what you see in the Resent-From, From, Envelope-Sender, Recent-Sender or X-Envelope-From headers.  The wildcard “*” can be used to provide all of the users for a domain as you see in the examples above.

You can remove users that you place in the whitelist with unwhitelist_from.

unwhitelist_from tom@example.com

You may want to review the information found in 60_whitelist.cf which Spamassassin uses automatically as there may be some users listed that you want to remove.

You do have an additional option for sender whitelisting.  You can use whitelist_from_rcvd which does a reverse lookup with DNS to verify the IP Address of the last trusted relay.  So basically what it is doing is looking up the IP of where the mail came from to make sure it came from an IP Address on the senders network.  Now, this has several problems related to it.  First, you are using precious resources doing reverse DND lookups.  And second, depending how the sender network is designed, you may have problems verifying the IP Address.  Here is how you can use it to drop the score 100 points.

whitelist_from_rcvd tom@example.com example.com

Note that what you are requiring is that the mail sent by tom must come from a mail server on the example.com domain.

Whitelist Recipients
There are three separate levels of whitelisting you can perform for recipients.    If you had a user that did not want any spam checks on their account you would use this method of checking.  The whitelist_to directive can use the Resent-To, Resent-Cc, To, Apparently-To, Delivered-To, Envelope-Recipients, Apparently-Resent-To, X-Envelope-To, Envelope-To, X-Delivered-To, X-Original-To, X-Rcpt-To, X-Real-To, or Cc.

The three levels can be used like this:

whitelist_to  tom@mycompany.com   (lowers score by 6)
or
more_spam_to  tom@mycompany.com   (lowers score by 20)
or
all_spam_to   tom@mycompany.com   (lowers score by 100)