We try to recognise MSA authentication

some MTAs record this in a “Received” header (RFC 3848, defining “Received: with ESMTPSA” etc., especially useful)
some don't record it at all in headers :(
hence “msa_networks”: specify the IP address (ranges) where your MSAs live
SpamAssassin will assume that any message via those is from a trusted host, since your MSA authenticated the user

some MTAs record this in a “Received” header (RFC 3848, defining “Received: with ESMTPSA” etc., especially useful)