It's important to note that just because an email has a valid-looking "MAIL FROM" address, it does not necessarily mean that the email is legitimate or trustworthy. Email spoofing is a common tactic used in phishing and spam attacks, where the attacker manipulates the "MAIL FROM" and "From" headers to make the email appear to come from a legitimate source. 

 Not if spf=pass, dkim=pass, dmarc=pass. These mails were send from the trezor mail servers. 

 That’s true, but the rest of the headers meant the mail came from a legitimate source and was signed with a legitimate key. So they must’ve been compromised in some way.