A spam email passing through email routing resulted in a drop result instead of an error.
Sender: [email protected] (no TLD specified)
SPF status: pass
DMARC status: none
DKIM status: neutral
Result: Dropped (catch-all setting)
If a spoofed sender did not include a domain, why would it get a SPF pass status?