Recently, I have received two messages which produced SPF Pass for juno.com, but the message From addresses were in a second domain and the reply to address was in a third domain.

I have recently been monitoring unverifiable "From" addresses, and this issue was caught in the audit.   IIt was a big surprise for me, because I expect mailbox providers like Juno to prevent this type of impersonation.

In response, I have added a Declude rule to require address alignment or aligned DKIM signature when the source is a mailbox provider like juno or gmail.   I also added a content filter for Received lines indicating the domain that originated the attacks, dreamsinheels.com.