The mail came from 65.54.190.123 and it passes SPF > dont use whitelist_from, with that setting anyone can use that email as > sender to get whitelisted, this is okay if you do spf testing in mta > only, so spamassassin follow it as an ok, but not if you are not testing > spf in mta
What should I use, then? SPF is not checked at mta > have you configured Mail::SPF to reuse mta spf (recieved-spf header) ? No