On Mon, 2022-11-14 at 15:14 -0500, Shawn Iverson wrote: > How do I stop this? paypal.com is in the default DKIM whitelist! >
That message really looks like it came from Paypal and then was forwarded by Microsoft to your server. Was it really a fake? That's a lot of headers to fake if so. If it was really fake and that paypal-supplied DKIM signature doesn't validate (I didn't check that), then checking DMARC when you receive mail and rejecting on p=reject failures would block it.