Correct/Fix the SPF interpretation in Message Headers
In a recent email attempting Phish one of our staff and pretending to come from the CEO I discovered an issue with our SPAM filtering.
Someone had put our domain in the allowed domain list.
The from address was our domain.
The reply address was a different domain.
The Source IP was not in the SPF record.
But becuase the domain was in the allowed list, the header indicates an SPF pass. The header also contains the Forefront SKA analysis indicating where the problem reall is.
In my opinion, the SPF pass is a fail on the message processing. Regardles of the SPAM settings, the SPF pass fail must be based only on the actual SPF record. So the header should have read SPF fail. That would have been a clear indication that something else was letting the message in.
No SPAM filtering setting should change the accepted standard of how SPF pass/fail is determined.