In fact, this is what I thought! but I can’t think of any other way that this could happen. Our recipient server is outlook exchange server. The sending server is on an amazon cloud server (so I would assume it is being sent from a cms hosted in the cloud).