This is really a problem. Just had a client complain about getting a "Wire Transfer" message from their "boss".
I already had all of Bruce's settings implemented from above, but to no avail.
In the Header, The "From" address is the real Boss address, but the "Return-Path" and "Reply-To" are different.
None of the email addresses or domains are "Trusted Senders" globally, at the site level, or the user level.
Why in the world world this be delivered?