I received an email from a company that looked fine. Gmail deemed it ok. I checked the domain and the various DMARC, DKIM and SPF headers: they are all in "PASS" status. The sender's IP also seems to be within the range of those declared by the SPF record.
But, after contacting the company by phone (out of scruple), they state that they were NOT the ones who sent the email.
Here an extract of the checks (by obfuscating the real company):
...
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
...
ARC-Authentication-Results: i=2; mx.google.com;
dkim=pass header.i=@<company_domain> header.s=selector1 header.b=idsPd4vx;
arc=pass (i=1 spf=pass spfdomain=<company_domain> dkim=pass dkdomain=<company_domain> dmarc=pass fromdomain=<company_domain>);
spf=pass (google.com: domain of <company_mail_address> designates <ipv6> as permitted sender) smtp.mailfrom=<company_mail_address>;
dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=<company_domain>
...
Received-SPF: pass (google.com: domain of <company_mail_address> designates <ipv6> as permitted sender) client-ip=<ipv6_same_as_above>;
Authentication-Results: mx.google.com;
dkim=pass ...
arc=pass ...
spf=pass ...
dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=<company_domain>
...
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=<company_domain>;
...
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
...
Now, my question is: do all the checks above in "PASS" state, mean that the email was actually sent from a company's mail server? Does this mean that their mail server considered the sender client as a valid one?