Not sure if theres a design reason for this (or plain oversight) - we have recently been noticing an uptake in spam making it through sophos email.
After looking to them - it seems that at a glance, they should be blocked because headers smtp-from (spam) does not match mail.from (our domain). After investigating abit further I encountered this line "For example, a pass on the SPF check will skip the DKIM and header anomaly check." from KB https://support.sophos.com/support/s/article/KB-000039520?language=en_US
Does this not seem like abit of a red flag? I understand skip auth checks, but header-anomaly should not be one. Any decent mailout/news-letter service is going to ask you to add spf/dkim includes to your dns for there own system - this just seems like your giving bad-actors a easy way to get through?
Would really like some insight or clarification on this. I haven't raised a support case yet - because it could just be "its this way because xyz" but that's my next stop
Note - we currently have everything toggled on, with spam aggressiveness level set to L1
Note - I confirmed there's no conflicting allow rule or policy that could impact the process.