Looks to stem from default creds and SPF+all, both of which are amateur hour. In their defense, devices should not allow keeping default creds, and SPF should have never implemented the +all tag. Still, though. It’s 2025, not 2005. They should have known.