This particular message should FAIL a SPF check.

What weight settings -or- what are you doing with SPF failures on your server under Spam Settings?

Ron

Ron,

 Thanks for the reply. Looking at our settings the SPF rule is at the default setting of 5 fail weight. Maybe I will jack that up and see if that helps. Thanks for pointing me in the right direction.

@Jason - As Ron noted these types of spoofs (From address is spoofed, return-path is not) are usually handled/blocked by a combination of SPF checks, DMARC checks, RDNS checks, etc.

I recommend making sure you have SPF/RDNS, DKIM, and DMARC deployed for these domains, and that those same spam checks are enabled on the SmarterMail side.

That should allow your instance to recognize these spoofed messages and put a stop to them. That will also better enable third-party users/mail servers to better handle any spoofed messages they are getting from your domains as well. 

As a follow up, you might want to reject all SPF failures completely. It's pretty safe to do so in 2021, in my opinion.  We do.  So we have SPF Fail 30.

I agree with Kyle that SPF DKIM and DMARC be established (via DNS) for every domain on your SmarterMail Instance.

Thanks!

Ron

Thank you both Ron and Kyle, I am going to look into our SPF DKIM & DMARC settings. I really appreciate the help.

Very welcome! Thanks to Ron as well :)