Ask HN: Scam from `service@paypal.com` email, How?

I asked GPT4 &amp; dig on mx2.phx.paypal.com matches 66.211.170.88.<p>Sender IP and SPF: The SPF record indicates that the email was sent from IP 66.211.170.88 and that this IP is a designated sender for paypal.com. This is a good sign, as SPF is a method for domain owners to specify which IPs are allowed to send emails on their behalf. Still, this can be faked in phishing emails, so it isn&#x27;t an absolute proof.<p>DKIM Signature: DKIM provides an encryption-based method to validate the authenticity and integrity of a message. The DKIM-Signature indicates that the email is signed and suggests it genuinely came from paypal.com with the signature being verified. This is another positive sign.<p>DMARC: The DMARC record shows a pass for the email. DMARC builds on SPF and DKIM to give receivers a way to improve and monitor the protection of the domain from fraudulent email. This is another good indication that the email is genuine.<p>Helo Record: The email identifies itself as coming from mx2.phx.paypal.com. Cross-referencing this with the IP 66.211.170.88 can give more information. Ideally, a DNS lookup on this domain should resolve to this IP, or vice versa. Authentication-Results: spf=pass (sender IP is 66.211.170.88)<p>smtp.mailfrom=paypal.com; dkim=pass (signature was verified)<p>header.d=paypal.com;dmarc=pass action=none<p>header.from=paypal.com;compauth=pass reason=100<p>Received-SPF: Pass (protection.outlook.com: domain of paypal.com designates<p>66.211.170.88 as permitted sender) receiver=protection.outlook.com;<p>client-ip=66.211.170.88; helo=mx2.phx.paypal.com; pr=C<p>Received: from mx2.phx.paypal.com (66.211.170.88) by<p>AM7EUR06FT065.mail.protection.outlook.com (10.233.255.252) with Microsoft<p>SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id<p>15.20.6723.11 via Frontend Transport; Mon, 21 Aug 2023 14:39:41 +0000<p>X-IncomingTopHeaderMarker:<p>OriginalChecksum:D3EF06AD4D210DE94DD4CEF7676ADB33FFADDA146826968760B256614DBA0BB3;UpperCasedChecksum:C166224836B8549C000E1248A8D0B21B268DA10BAE404535ECAE6D2AC1E4F7F4;SizeAsReceived:1198;Count:17<p>DKIM-Signature: v=1; a=rsa-sha256; d=paypal.com; s=pp-dkim1; c=relaxed&#x2F;relaxed;<p>q=dns&#x2F;txt; i=@paypal.com; t=1692628775;<p>h=From:From:Subject:Date:To:MIME-Version:Content-Type;<p>bh=y3PR47e+bNTQkjaVkSmH1awii6kjs&#x2F;uhFtgV+UQXT64=;<p>b=Y75EdoYH0VTDJ+1oaj5hM8Ev5CFNJxLSoLPSF6ICH&#x2F;o4WEEW1kKZUvQDi63VGPd5<p>LxThPfH3DOqpW&#x2F;o&#x2F;mi8AmnbRaSfuYR2vhSIVYMXghc0VQ4CKD9J06JjDN2IO5M7&#x2F;<p>lfWDOrXZJEAbJcSr92SnOucKMwoDngZiB2gy7SJG17187W2zmGjqZAFzNton8ssu<p>3aM6RRfFS+JxDEpuX3XPxYzQQsczTy2Qn&#x2F;L28Yl+cJ4&#x2F;HaV7myzte2OGr0qi+cQw<p>UEyT8Gd345qdkpxBmBUAk9Tu&#x2F;Wcb6gQUdm+cDymkdcnPsuOKuW6DBgj47c76Arxw<p>20exiKh305Upy67mHCHvAA==;<p>Content-Transfer-Encoding: quoted-printable<p>Content-Type: text&#x2F;html; charset=&quot;UTF-8&quot;<p>Date: Mon, 21 Aug 2023 07:39:35 -0700<p>Message-ID: &lt;53.BB.28950.72773E46@ccg01mail04&gt;<p>X-PP-REQUESTED-TIME: 1692628766599<p>X-PP-Email-transmission-Id: 8a9be26e-4030-11ee-bba5-40a6b729312c<p>PP-Correlation-Id: b2d6ca346679c<p>*Subject: Invoice from Marquis Pleasants (0084)*<p>X-MaxCode-Template: RT000238<p>To: &lt;xxxxxxxxxxxxxxxxxxxxxxx&gt;<p>From: &quot;service@paypal.com&quot; &lt;service@paypal.com&gt;<p>X-Email-Type-Id: RT000238<p>X-PP-Priority: 0-none-true<p>AMQ-Delivery-Message-Id: nullval<p>X-XPT-XSL-Name: nullval<p>X-IncomingHeaderCount: 17<p>....<p>X-Microsoft-Antispam: BCL:5;<p>X-MS-Exchange-CrossTenant-OriginalArrivalTime: 21 Aug 2023 14:39:41.5613<p>(UTC)<p>...<p>X-Microsoft-Antispam-Mailbox-Delivery: