Spam filter oddity

This isn’t as much of an issue for me as I rarely if ever receive actual spam, however the spam filter produced false positives before for my own forwarded mails because of SPF_FAIL SPF: sender does not match SPF record, so I had to create an exclusion rule.

What prompted me to create this topic though is that Runbox’s own mail was classified for the very same reason. I am wondering whether that is a bug or not.

Return-path: <runbox@runbox.com>
Received: from exim by delivery05.runbox with sa-scanned  (Exim 4.86_2)
	id ###########
	for ###########@runbox.com; Tue, 19 Dec 2023 19:46:15 +0100
X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on antispamc02.runbox
X-Spam-Flag: YES
X-Spam-Level: ******
X-Spam-Status: Yes, score=6.0 required=5.0 tests=HTML_MESSAGE,KAM_DMARC_STATUS,
	MISSING_MIME_HB_SEP,SPF_FAIL,TO_EQ_FM_DOM_SPF_FAIL autolearn=disabled
	version=4.0.0
X-Spam-Report: 
	*  6.0 SPF_FAIL SPF: sender does not match SPF record (fail)
	*  0.0 KAM_DMARC_STATUS Test Rule for DKIM or SPF Failure with Strict
	*      Alignment
	*  0.0 MISSING_MIME_HB_SEP BODY: Missing blank line between MIME header and
	*       body
	*  0.0 HTML_MESSAGE BODY: HTML included in message
	*  0.0 TO_EQ_FM_DOM_SPF_FAIL To domain == From domain and external SPF
	*      failed
Received: from [10.9.9.168] (helo=mailfront24.runbox)
	by delivery05.runbox with esmtp  (Exim 4.86_2)
	id ###########
	for ###########@runbox.com; Tue, 19 Dec 2023 19:46:15 +0100
Received: from exim by mailfront24.runbox with sa-scanned  (Exim 4.93)
	id ###########
	for ###########@runbox.com; Tue, 19 Dec 2023 19:46:14 +0100
Received-SPF: fail client-ip=193.58.250.140; envelope-from=runbox@runbox.com; helo=mail15.copyleft.no
Received: from mail15.copyleft.no ([193.58.250.140])
	by mailfront24.runbox with esmtps  (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256)
	(Exim 4.93)
	id ###########
	for ###########@runbox.com; Tue, 19 Dec 2023 19:46:00 +0100
Received: from aibo.runbox.com ([185.226.149.25] helo=admin02.runbox)
	by mail15.copyleft.no with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.95)
	(envelope-from <runbox@runbox.com>)
	id ###########
	for ###########@runbox.com;
	Tue, 19 Dec 2023 18:51:19 +0100
Received: from geir by admin02.runbox with local (Exim 4.93)
	(envelope-from <runbox@runbox.com>)
	id ###########
	for ###########@runbox.com; Tue, 19 Dec 2023 18:06:19 +0100
Subject: [News] Special Holiday Offer from Runbox
Sender: The Runbox Team <runbox@runbox.com>

Two more false positives of legitimate mails being caught in the spam filter. Until recently mails from the same senders passed through.

Here is the spam report:

X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on antispamc01.runbox
X-Spam-Flag: YES
X-Spam-Level: *****
X-Spam-Status: Yes, score=5.1 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,
	KAM_HUGEIMGSRC,KAM_LOTSOFHASH,SPF_PASS,T_SCC_BODY_TEXT_LINE
	autolearn=disabled version=4.0.0
X-Spam-Report: 
	* -0.0 SPF_PASS SPF: sender matches SPF record
	*  0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
	*      valid
	* -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
	*       domain
	* -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
	*  0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or identical to
	*       background
	*  0.0 HTML_MESSAGE BODY: HTML included in message
	*  0.2 KAM_HUGEIMGSRC Message contains many image tags with huge http urls
	* -0.0 T_SCC_BODY_TEXT_LINE No description available.
	*  5.0 KAM_LOTSOFHASH Emails with lots of hash-like gibberish
	* -0.0 DKIMWL_WL_MED DKIMwl.org - Medium trust sender