Dear Mail-in-a-Box staff,
Some spammers try to send spam as common subdomains as for example gplay.google.com or pay.gmail.com. If you check your spf is empty and can’t reject well with spf. Normaly the spf is configured only on primary domains and some thers but some years ago I add always the spf for *.yourdomain.com. With this, any subdomain that you checks return an spf entry and dificult spammers to avoid spf anaysis. I suggest add this by default on Mail-in-a-Box domains addeds. This not avoid that you can also add individual spf for your subdomains that replace the generic * spf.