diff --git a/app/services/rules.py b/app/services/rules.py
index 4cbde0b..2bb514b 100644
--- a/app/services/rules.py
+++ b/app/services/rules.py
@@ -48,16 +48,26 @@ def _render_payload_line(payload_line: str, behavior: str) -> str:
     return payload_line
 
 
+def _attach_policy(rendered_line: str, target: str, append_no_resolve: bool) -> str:
+    parts = [part.strip() for part in rendered_line.split(",")]
+    if parts and parts[-1] == "no-resolve":
+        parts.insert(len(parts) - 1, target)
+        line = ",".join(parts)
+    else:
+        line = f"{rendered_line},{target}"
+        if append_no_resolve:
+            line += ",no-resolve"
+    return line
+
+
 def _resolve_rule_lines(rule_name: str, app_config: AppConfig, client: ClientConfig) -> list[str]:
     rule = app_config.rules[rule_name]
     target = resolve_policy(rule.policy, client)
     lines: list[str] = []
 
     for payload_line in rule.payload:
-        line = f"{payload_line},{target}"
-        if rule.no_resolve:
-            line += ",no-resolve"
-        lines.append(line)
+        rendered = _render_payload_line(payload_line, rule.behavior)
+        lines.append(_attach_policy(rendered, target, rule.no_resolve))
 
     if rule.file:
         line = f"RULE-SET,{rule_name},{target}"
@@ -108,9 +118,6 @@ def build_inline_rules(app_config: AppConfig, client: ClientConfig) -> list[str]
         target = resolve_policy(rule.policy, client)
         for payload_line in load_rule_payload(path):
             rendered = _render_payload_line(payload_line, rule.behavior)
-            line = f"{rendered},{target}"
-            if rule.no_resolve:
-                line += ",no-resolve"
-            lines.append(line)
+            lines.append(_attach_policy(rendered, target, rule.no_resolve))
     lines.append(f"MATCH,{client.main_policy}")
     return lines