An annoying phish

This one sailed right through our borders. It is a CapitalOne phish. The interesting parts:

1. From: "CapitalOne Update Department"
2. Return-Path: fl@tihw0035.totalit.dk

We have Sender Auth turned on for CapitalOne. This is the SPF Framework thing that has been talked about. CapitalOne has the DNS records for it. It turns out the border appliances are applying the SPF policies to 'totalit.dk' and not 'capitalone.com'. This, in my opinion, is a bug.