It's a message from a valid internal email address. If a company's own email servers can't tell the difference between valid internal mail and external phishing, that's the company's problem, not the employees. If the company's email is hacked so that a hacker can send valid emails from a legitimate internal email address, that's the company's problem, not the employees. Nothing of value was learned by this test, besides the disdain GoDaddy has for their own employees.

If I put myself on the other side, I'd stop producing gross sexist ads, stop supporting overreaching internet legislation, and stop treating my employees like garbage.

You're assuming, incorrectly, that phishing attacks can't come from the inside.

If a hacker hacked the CEO's email address, and then used that address to email their secretary asking for information, and the secretary responded.... that is not a security failure on the secretary's part. That's the CEO's security issue, and the company's security issue. Therefore, it's a useless pen test, unless the purpose is to tell employees no emails from anyone can be trusted.

A phishing email can come from the inside. But seeing whether employees will respond to a valid internal email is not a test of employee security. And in this case, it was as heartless as it was useless.

Turns out the email wasn’t sent from the internal domain, but from gocladdy.com. There was some poor kerning in the screenshots.