Checking SMTP headers for spoofed email (did client authenticate?)

Question

I have been using rackspace email service, and I am finding that rogue emails are seemingly coming from harry@mydomain.com to james@mydomain.com but were never actually sent by that user.

As per rackspace this email was sent via harry@mydomain.com using his credentials. From the email headers I cannot tell if this would it be a script running on secureserver.net that is doing this (using his credentials) or is that sending a spoofed email (script is sending SMTP without authentication and just setting the email to/from fields accordingly).

My questions are:

1. SMTP servers can receive email in two ways: 1) from other SMTP servers, 2) or from a client that authenticates and relays through it. Without access to the receiving server logs, where is the detail in the header which indicates client is relaying via authenticated username/password?

2. Where the additional details are added, are these spoofed from the sender or genuine: X-Get-Message-Sender-Via: a2plcpnl0576.prod.iad2.secureserver.net: authenticated_id:admin@weirddomain.com?

3. Although we have SPF records for the domain to only include the webserver IP and include:emailsrvr.com with the -all flag, Rackspace say it is not possible to use this to check against spoofed email, or is this because they have authenticated to the SMTP server and relayed in this case?

Headers are below:

Delivered-To:   james@mydomain.com
Return-Path:    <harry@mydomain.com>
Received:   from smtp48.gate.iad3a (smtp48.gate.iad3a.rsapps.net [172.27.146.93]) by store370a.mail.iad3a (SMTP Server) with ESMTP id 6B21338004D for <james@mydomain.com>; Tue, 22 Mar 2016 18:51:50 -0400 (EDT)
X-Spam-Threshold:   95
X-Spam-Score:   0
X-Spam-Flag:    NO
X-Virus-Scanned:    OK
X-MessageSniffer-Scan-Result:   0
X-MessageSniffer-Rules: 0-0-0-5195-c
X-CMAE-Scan-Result: 0
X-CNFS-Analysis:    v=2.1 cv=Ksx0hwmN c=1 sm=0 tr=0 a=03oFrmF08fajSB7oc4goJw==:117 a=3DDquuGS2V5BkRhJnJP3ow==:17 a=L9H7d07YOLsA:10 a=9cW_t1CCXrUA:10 a=s5jvgZ67dGcA:10 a=AsRiV6KZ74iSbj+k8RJYJIAeGPg=:19 a=2L8f7PMcNrQA:10 a=7OsogOcEt9IA:10 a=KXl77lDgDEgIEtoqJYcA:9 a=_6GpL_ENAAAA:8 a=ZYf_q_66Zn7mdDxIrUkA:9 a=giY71Mj1q15_ivv6:21 a=NF3jo81ehh1LRULu:21 a=wPNLvfGTeEIA:10 a=xupg4knwUDYA:10 a=iDzWDAaf-0_1B4d3PKkA:9 a=AX674DPcPDPt-UkY:21 a=v5bIRgG1RGZFvm2Y:21 a=_W_S_7VecoQA:10
X-Orig-To:  james@mydomain.com
X-Originating-Ip:   [198.71.225.37]
Received:   from [198.71.225.37] ([198.71.225.37:50277] helo=a2nlsmtp01-03.prod.iad2.secureserver.net) by smtp48.gate.iad3a.rsapps.net (envelope-from <harry@mydomain.com>) (ecelerity 2.2.3.49 r(42060/42061)) with ESMTPS (cipher=AES256-SHA) id B2/C7-21891-17EB1F65; Tue, 22 Mar 2016 18:51:50 -0400
Received:   from a2plcpnl0576.prod.iad2.secureserver.net ([198.71.236.72]) by : HOSTING RELAY : with SMTP id iUAOaPfNohy43iUAOaMLT4; Tue, 22 Mar 2016 14:48:44 -0700
Message-ID: <B7.A7.22894.92AA1664@smtp48.gate.iad3a.rsapps.net>
Received:   from [77.234.42.143] (port=65110 helo=[100.100.48.14]) by a2plcpnl0576.prod.iad2.secureserver.net with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.85_1) (envelope-from <harry@mydomain.com>) id 1aiUAO-0010vj-5P for james@mydomain.com; Tue, 22 Mar 2016 14:48:44 -0700
Content-Type:   multipart/alternative; boundary="===============0122389713=="
MIME-Version:   1.0
Subject:    Important
To: Recipients <harry@mydomain.com>
From:   "Harry" <harry@mydomain.com>
Date:   Tue, 22 Mar 2016 16:48:39 -0500
Reply-To:   hitmeup55@hotmail.com
X-Antivirus:    avast! (VPS 160322-0, 03/22/2016), Outbound message
X-Antivirus-Status: Clean
X-AntiAbuse:    This header was added to track abuse, please include it with any abuse report
X-AntiAbuse:    Primary Hostname - a2plcpnl0576.prod.iad2.secureserver.net
X-AntiAbuse:    Original Domain - mydomain.com
X-AntiAbuse:    Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse:    Sender Address Domain - mydomain.com
X-Get-Message-Sender-Via:   a2plcpnl0576.prod.iad2.secureserver.net: authenticated_id: admin@weirddomain.com
X-Source:   
X-Source-Args:  
X-Source-Dir:   
X-CMAE-Envelope:        MS4wfEPENpifHOCgRpfP6548FFaFh5aGvLkdZm1fLn1ObUi/GIxIvKJEpHzquISJMsZqy70pnMkKI97Q9A0DqQ32JQ78HW6S1tBah8JgoDrTNI9F4pp4EDOM HTkGtTYtUC9r9UUrKvESTtmSFszS6652/MgX84oIFe88If6ClU4eOj36h5+xgnUIKFWOr106/ju1qIlkFmQeQS7UynivyRiK6r8QHvsju7aabN+eUPHBb+4qI

Answer 1

Key line is here.

Received: 
   from [77.234.42.143] (port=65110 helo=[100.100.48.14]) 
   by a2plcpnl0576.prod.iad2.secureserver.net 
   with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.85_1) 
   (envelope-from <harry@mydomain.com>) id 1aiUAO-0010vj-5P 
   for james@mydomain.com; Tue, 22 Mar 2016 14:48:44 -0700

It says that a2plcpnl0576.prod.iad2.secureserver.net received a message with SMTP AUTH abbreviated here as ESMTPSA from [77.234.42.143] which identified itself as [100.100.48.14] (from second-tier non-public IP address space aka carrier-grade NAT).

77.234.42.143 resolves to ten.emfme.net which should give us actual sender. Since this IP address belongs to AVAST cloud, you may get additional details about messages originating from this IP from abuse@avast.com.