Reflexion's Spoofing Prevention option checks the Addresses listed in the headers of the message to determine if the inbound message is spoofed:
If either the Display address (From-address in Outlook) or the X-Sender address (Sender field in Reflexion Reports) claims to be from the domain receiving the mail, we will fail the incoming message. This option does NOT check the domain's SPF record, OR the Username field in a piece of mail. The block can be avoided by adding the X-sender to the Allow List, or by adding the sending IP to the IP Filtering good list.
Example of a message we would block:
From: email@example.com [userA@reflexion.net]
to: firstname.lastname@example.org [UserA@Reflexion.net]
Example of a message we would NOT block:
From: Max McElroy [email@example.com]
To: Max McElroy [UserA@reflexion.net
In the second example, the Username field of the message is copying the name of a user, but the Reflexion system only checks the email addresses that are listed within the headers, in this case the firstname.lastname@example.org address. Since this @phishco address is not listed in our Enterprise, we would not see this as a spoofed message.
There are ways to combat these Username field spoofs however, which are outlined in the below Technet article: