Jim,

> Some of my confusion comes from your reference to "talktalk servers".

They came up because the IP address that delivered your message to
Groups.io belonged to them.

> My ISP, through which I send emails, is Talktalk Residential (who use
> the talktalk.net domain).

That's the one I was referring to.

> In addition, I had not heard of either SPF or DKIM before and I'm not
> sure of the significance of either of them.

They are email authentication standards. Plus a newer one, DMARC, which
is built on those two. Most receiving services take one or more of these
tests into account when deciding whether to deliver a message to your
inbox or to your spam folder, or not at all (reject, aka "bounce" it).

> ... but since everything is working fine (and has been for 22 years
> now) I'm not proposing to make any immediate changes.

Most receiving services will make allowances for the fact that not every
legit sender uses these newer (newer than email itself anyway) standards
that have been put in place to stem the tide of viruses, robo-spam and
other abuses. Groups.io, for example, doesn't currently use those tests
on inbound messages - which left the door open to the abuse the OP
(Gilly) suffered.

So Mark is currently trying to work out how to tighten up the inbound
security, without impacting legitimate traditional use cases such as
yours. My fingers are crossed that he'll be able to do something that is
effective but low- or no-impact for use cases like yours.

Shal