double check that the Universal Email server behavior and the Server Validation server behavior both use the same trigger.
In the page I had examined with the OP, one server behavior was using the any form pos trigger and the other was using the Submit button pressed trigger, this can allow a spammer to by pass the validation and send the email.
If they both use the same trigger, by passing the validation will also bypass the email.