@rozzin that sounds like the evolution of spam origin analysis: first, all Received: headers were checked; but then it was seen that those could actually be spoofed, too - *except* for the origin machine of the last hop. Looks like SPF picked up on that 'wisdom' and doesn't bother itself with what could be fake anyway. But thanks, I hadn't realized that about SPF (though I should have) - but I studied it a little because I had to set up the records for it for various domains and mail servers.