Sender IP and SPF: The SPF record indicates that the email was sent from IP 66.211.170.88 and that this IP is a designated sender for paypal.com. This is a good sign, as SPF is a method for domain owners to specify which IPs are allowed to send emails on their behalf. Still, this can be faked in phishing emails, so it isn't an absolute proof.
DKIM Signature: DKIM provides an encryption-based method to validate the authenticity and integrity of a message. The DKIM-Signature indicates that the email is signed and suggests it genuinely came from paypal.com with the signature being verified. This is another positive sign.
DMARC: The DMARC record shows a pass for the email. DMARC builds on SPF and DKIM to give receivers a way to improve and monitor the protection of the domain from fraudulent email. This is another good indication that the email is genuine.
Helo Record: The email identifies itself as coming from mx2.phx.paypal.com. Cross-referencing this with the IP 66.211.170.88 can give more information. Ideally, a DNS lookup on this domain should resolve to this IP, or vice versa. Authentication-Results: spf=pass (sender IP is 66.211.170.88)
smtp.mailfrom=paypal.com; dkim=pass (signature was verified)
header.d=paypal.com;dmarc=pass action=none
header.from=paypal.com;compauth=pass reason=100
Received-SPF: Pass (protection.outlook.com: domain of paypal.com designates
66.211.170.88 as permitted sender) receiver=protection.outlook.com;
client-ip=66.211.170.88; helo=mx2.phx.paypal.com; pr=C
Received: from mx2.phx.paypal.com (66.211.170.88) by
AM7EUR06FT065.mail.protection.outlook.com (10.233.255.252) with Microsoft
SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.20.6723.11 via Frontend Transport; Mon, 21 Aug 2023 14:39:41 +0000
X-IncomingTopHeaderMarker:
OriginalChecksum:D3EF06AD4D210DE94DD4CEF7676ADB33FFADDA146826968760B256614DBA0BB3;UpperCasedChecksum:C166224836B8549C000E1248A8D0B21B268DA10BAE404535ECAE6D2AC1E4F7F4;SizeAsReceived:1198;Count:17
DKIM-Signature: v=1; a=rsa-sha256; d=paypal.com; s=pp-dkim1; c=relaxed/relaxed;
q=dns/txt; i=@paypal.com; t=1692628775;
h=From:From:Subject:Date:To:MIME-Version:Content-Type;
bh=y3PR47e+bNTQkjaVkSmH1awii6kjs/uhFtgV+UQXT64=;
b=Y75EdoYH0VTDJ+1oaj5hM8Ev5CFNJxLSoLPSF6ICH/o4WEEW1kKZUvQDi63VGPd5
LxThPfH3DOqpW/o/mi8AmnbRaSfuYR2vhSIVYMXghc0VQ4CKD9J06JjDN2IO5M7/
lfWDOrXZJEAbJcSr92SnOucKMwoDngZiB2gy7SJG17187W2zmGjqZAFzNton8ssu
3aM6RRfFS+JxDEpuX3XPxYzQQsczTy2Qn/L28Yl+cJ4/HaV7myzte2OGr0qi+cQw
UEyT8Gd345qdkpxBmBUAk9Tu/Wcb6gQUdm+cDymkdcnPsuOKuW6DBgj47c76Arxw
20exiKh305Upy67mHCHvAA==;
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="UTF-8"
Date: Mon, 21 Aug 2023 07:39:35 -0700
Message-ID: <53.BB.28950.72773E46@ccg01mail04>
X-PP-REQUESTED-TIME: 1692628766599
X-PP-Email-transmission-Id: 8a9be26e-4030-11ee-bba5-40a6b729312c
PP-Correlation-Id: b2d6ca346679c
*Subject: Invoice from Marquis Pleasants (0084)*
X-MaxCode-Template: RT000238
To: From: "service@paypal.com" X-Email-Type-Id: RT000238 X-PP-Priority: 0-none-true AMQ-Delivery-Message-Id: nullval X-XPT-XSL-Name: nullval X-IncomingHeaderCount: 17 .... X-Microsoft-Antispam: BCL:5; X-MS-Exchange-CrossTenant-OriginalArrivalTime: 21 Aug 2023 14:39:41.5613 (UTC) ... X-Microsoft-Antispam-Mailbox-Delivery: