When checking an email to see why the "From Domain=To Domain" did not work, please note the following:
The sender's email address is the one used int he so called "envelope" or the "Return Path", which is the "real" address of the sender that was specified in the "MAIL TO" command. SpamFilter logs this address by adding it to the "X-SF-Return-Path" header. This can be sometimes different that then one specified in the "From" header of an email address. This latter (the one in the header) is what email clients use to display the "From" in an email, but again, this may not be the "real" sender.

In addition, you may also want to make sure the email was not whitelisted for some reason. if an email is whitelisted, besides being logged as such in SpamFilter's logfile, the header "X-SF-WhiteListedReason:" is added to the email itself.

All this said, if you want to zip and email us the activity logfile for the day this happened (along with the to/from email addresses involved), we'll be glad to take a look. If the zip is over 5MB in size, please let us know so I can provide you with our FTP information to give us the file.

Sometimes users may send emails to other users via tools external to your network. For example, Joe@mydomain.com may go to CNN.com, read an article, and then use the (poorly thought out, as this email will get blocked if an ISP is using SPF...!) CNN.com website to email the article to his buddy Mike@mydomain.com. If both Joe and Mike are using your services for email, CNN will be "spoofing" the email address from Joe to send the email to Mike, and will thus likely be blocked. When Mike goes to his quarantine to force the delivery of the email from Joe, the entry will be added to your autowhitelist file.

If only CNN's admins realized that they shouldn't spoof Joe's email... this problem would not occur. Unfortunately even with large companies the webmasters do not talk enough with their postmasters.... and thus these problems will occurr...

SPF (Sender Policy Framework) is a standard that was created specifically from preventing email spoofing, and unfortunately this is the very same thing CNN and others are doing.
We recommend implementing SPF on your domains (it's basically a TXT record entry in the DNS for the domains protected by SPF), rather than using the "From Domain=To Domain", because unlike the latter, SPF allows admins to publish via DNS which servers/IPs are authorized to send emails using your domain name.

However, unless all the known "offenders" are added in the SPF DNS record manually, or their admins realize the mistake they're making, CNN and others will continue to have their emails rejected by antispam software that uses SPF (or the "From Domain=To Domain"

Edited by LogSat - 25 February 2009 at 10:00pm

Actually, a few weeks ago we released a new version of SpamFilter, which has, among other improvements, the following

// New to VersionNumber = '4.1.2.803';
{TODO -cNew : Skipping the addition to the AutoWhiteListForceDelivery of entries where the mail_from = rcpt_to emails to reduce the chance of inadvertently whielisting all emails with a fake "from" address matching the recipient}

Prior to this release, some admins were running scripts that would identify such entries in the AutoWhiteListForcedelivery file so they could be removed. Please see this post by one of our users (Ed_K):

www.logsat.com/spamfilter/forums/forum_posts.asp?TID=6593#12559