The domain example.com has SPF record configured as:
TXT example.com. v=spf1 +a +mx -all. The domain has DNS record like:
example.com A 188.8.131.52 mail.example.com MX 184.108.40.206 mail.example.com A 220.127.116.11
When spammer sends email from IP 18.104.22.168 to
firstname.lastname@example.org spoofs the same address to the From field, the message is accepted by the mail server.
Switch on SPF spam protection option is enabled under Postfix Mail Service node settings, but there are no records about SPF checks in
/usr/local/psa/var/log/maillogon mail service node. Here is example of SPF check handler records:
Feb 23 19:55:37 server spf filter: Starting spf filter... Feb 23 19:55:39 server spf filter: Error code: (2) Could not find a valid SPF record Feb 23 19:55:39 server spf filter: Failed to query MAIL-FROM: No DNS data for 'example.com'. Feb 23 19:55:39 server spf filter: SPF result: none
The behavior was considered as internal software issue with PPA-2319 "SPF rules not updated on postfix node" and it was fixed in PA 11.5 MU#11.
In order to fix the issue please install update 11 as described in the article.