OK, DH staff gave me the answer (below) how it gets forged. I see. OK, thanks.
Easily, all someone needs to do is configure a computer with the same
hostname and IP info on their network card. It's a little trouble, but
can be done. The IP isn't delegated to their network, so nothing responds
on their end, but the headers so the connection from them.
Received: from ... [126.96.36.199] by blingymail-mx..."
That's not the forged part. Blingy is accepting mail from that bad
server, as it should be doing.
They're sending mail from the krrap server. That server has it's
outgoing headers forging the "rolls" server and IP part of the headers.
They're sending directly to blingy. Blingy then accepts mail from that
forged header server, as it it should.