- Is the "X-Originating-Ip" always pointing to the external IP of the computer who sent the email? Or does it point to other relays in the transfer (i.e. email server, AV, etc.).
- For some of the spoofed emails I am examining, I do not see an X-originating-IP, but I do see an "X-client-IP" populated. Are these basically the same? Is this external the IP of the computer that sent the email?
Everything starting with "X-" is vendor defined, added by yourself and not part of the original RfC defining email communications. Everyone and every product can add a self-defined "X-Header". Therefore, X-* can mean everything and nothing. Adding a header like "X-Fun: Beer, coke and a base jump!" would be a valid entry.
In your case, you should answer the vendor or postmaster to be on the safe side. But from my experience: "X-originating-IP" and "X-client-IP" are set by the very first mail server that gets the email from the mail client.