>scam used a fake https://gov.uk/ address, but the messages were prevented ... recipients.
Presumably picked up on the non-existent subdom bcos of .gov's DMARC policy & then created SPF rec for that subdom so that mail from it would get trashed?
https://www.bbc.co.uk/news/technology-48990724