@SteveITS My pfsense is running in pass through mode. It's not acting as a router. It's simply a firewall. Traffic passes through it (if allowed) to the servers behind it. I understand that's a but of an unusual setup but that's the way the expert set it up originally. I no longer have access to him.
No, I'm not trying to restrict email to only the US. I get email from several countries around the world. What I do what to do is shut down most countries because mostly they just attack my servers. I have both email and web servers behind the firewall so all that traffic needs to pass. We do 99% of our business to US customers but we do have vendors in other countries and support often comes from other countries, as do our credit card clearing services.
We already run a 3rd party spam filter and it does a pretty decent job. But why allow all those countries where we don't have reason to connect to slam away on our servers? We'd rather just tell them to go away. But that doesn't mean everyone other than the USA. It's not that simple. Plus as you said, GeoIP isn't 100%
So, I have always blocked a lot of countries while still allowing a few dozen in and it's worked pretty well until pfSense went nuts last week and then went insane and we had to start over. I'd be thrilled if I could just get back to where we were but restoring the configuration from the pre-mess doesn't seem to put us back to where we were. It seems not all the settings restore. And then of course there's the desire to put a couple rules stuck to the top of the rule set and that's what started all this mess in the first place.
I have a project I need to finish this week. I don't think I'll have time to circle back to this until Tuesday.