I am not sure whether it happens on all outgoing emails or only on some of them. The SPF policy for upwork.com specifies that mail.clinchtalent.com and all IP addresses that are listed by spf.mandrillapp.com are allowed to send email on behalf of upwork.com

However, at least some (if not all) of the system emails that are generated and sent by the Upwork marketplace go through MailGun - and their IP addresses are missing from the SPF policy for upwork.com Additionally, the DMARC policy for upwork.com is set to "strict" - which means that if the SPF check fails then all RFC-compliant SMTP servers should reject the message.

I raised a support ticket and clearly explained the situation. The support agent admitted that he is not trained on such things and does not understand the overly technical part of my explanations (including screenshots and logs) - so I naturally asked for escalation to someone who is more qualified.

Quite expectedly, my request was ignored and we continued our conversation back and forth. I tried to explain the security and deliverability implications of such DNS misconfiguration for the Upwork company - and my words were again ignored.

Another support agent stepped-in (perhaps another shift) and we are back on step 1 - the situation is better than chatting with an AI but apparently not so much if unqualified staff refuses to transfer the ball to their more qualified colleagues.

I can understand that engineers do not want to be bothered with trivial things. But when the first line of support does not understand what I am talking about and we are exchanging a dozen of messages while a mid-level engineer would have got the thing already on step 1 - all the consequences go to the company first and then on its customers.