On Mon, 19 Jun 2017 15:27:36 -0400 Robert Kudyba wrote: > > The biggest issue I see is the SPF approval: > > ARC‐Authentication‐Results: i=1; mx.google.com; > > > > spf=pass (google.com: best guess record for domain of > > le...@cis.fordham.edu <mailto:le...@cis.fordham.edu> designates > > 150.108.68.26 as permitted sender) > > > > Perhaps a compromised account? > > Well this user has his sendmail account from our subdomain forward to > his university Gmail account so that’s where the SPF kicks in. But > how come those first IPs in the mail header pass?
Pass what? I'm a bit confused, but if I'm understanding correctly, by spoofed HELO you meant that the HELO doesn't match the rDNS (which is full-circle), and you had expected sendmail to reject because of that. Beyond that I don't see what the question is. The only thing anomalous is that cis.fordham.edu doesn't have an SPF record, google used a best-guess record.