I have a user that sent me an email from a spoofed source. They sent it as an msg file. When I reviewed the headers, I see the to, from, subject, references, date, subject, MIME-version and x-mailer fields but no Received fields or any others that looked like they were placed by outside mail transports on the Internet. Could this mean, the user's mailbox was compromised and this email was placed directly in their inbox and didn't traverse the internet?
Could this mean, the user's mailbox was compromised and this email was placed directly in their inbox and didn't traverse the internet?
It could mean just about anything, including that the user sent you the wrong mail, or that the mail server involved doesn't do Received: lines according to applicable standards.Â
This is the kind of question that needs knowledge about what mail server is involved, what release, how it has been configured, and much more. Whoever is responsible for the email server is probably the right person to ask.
Apart from that, try out the scenarios you propose using the same server and the same client, and see if try runs match reality.