that is not true actually.... 

because my user have in whitelist address: notifications@monday.com

and we are getting mail whwere From parameter is set to: 

which is far away from beeng look like whitelisted address.

This one is even from different domain, from @emails.monday.com.

You have Personal Safe List entry for "notifications@monday.com" and this is what appears in the Header From (see the first history log line).

isn't it ridiculous behaviour? 

it is really look like a golden cave for spammers :) because basically anyone from anywhere can sent a mail, and all what this sender need is to set a HeaderFrom address as one that will be accepted. 

ok, next question, what can be done to stop that(and don't tell me "remove that address from whitelist")? 

BTW, 

is anyone is know a word "phishing attack" ? 

isn't is is exactly what is happening here? 

When someone is trying to pretend to be someone else, for some reason. 

the key word is "pretend" :) 

here is spammers is trying to pretend to be a legit sender, and you system is accepting mails with with salt, bread, and dances over that mail, and more over, a senior director and product manager is trying to tell us that it is correct behavior. 

This is not the normal correct behavior, this is only the case when you have explicitly safe listed the sender.   Safe listing is for working around situations where the sending party may not have their mail servers configured correctly (blacklisted IP, SFP fail etc) but where you must receive their emails.  There is a warning to this effect in the admin guide for this reason.

There is many things in your reply do not fit to my case. 

At first user whitelisted a pretty well defined address, not even close to wildcard.

And for some reason, system think that this "notifications@monday.com"  whitelisted address is exactly equal to this monster address =  bounces+6182960-837b-Name.Surname=My.Domain@emails.monday.com that is comming in From field

So I still do not understand how this could happen at all. 

like this is not my first time working with antispam. 

I got experience previously working with IronPort, ProofPoint, Retarus, Sendmail. And all of those systems never allow this thing to happen at all. And here instead of trying to provide some solution of how to fix that, I am get a message that it is exactly how it must work :) that's really funny.  

The wildcard in the example is to show that safelisting should be used with caution because of the impact it could have.  Caution should still be used for exact matches.

>And for some reason, system think that this "notifications@monday.com"  whitelisted address is

>exactly equal to this monster address = 

>bounces+6182960-837b-Name.Surname=My.Domain@emails.monday.com that is comming in

>From field

Your email was addressed as follows:

Mail From: bounces+6182960-837b-Name.Surname=My.Domain@emails.monday.com

Header From: notifications@monday.com

The Safelist matched the Header From.

OK, 

I hope that we both are agree that main here is a Mail From address, as it is represent a real sender address. 

Header From is needed to change displayed address in outlook client. And no doubts with this here? 

And now the question is: How we need to modify that system to make it match whitelistings with Mail From addresses, and do not touch Header From ? Or maybe what else we can change, to prevent that kind of spam to be accepted ?