Received a Warning About Clickjacking Vulnerability from a 'White-Hat' Hacker - Legitimate Concern or Spam?

Hello everyone.

Yesterday, I received an email from a so-called ‘white-hat’ hacker.

He claimed that my website was vulnerable to clickjacking because it could be displayed in an iframe. He had found a bypass. The ‘reverse proxy protection’ was not correctly configured, and this made it possible.

I have checked the headers of my site and under ‘X-Frame-Options’ it clearly states ‘SAMEORIGIN’.
Also, an online test shows that ‘X-Frame_options’ is properly set up on the server.
So? Is this a spam message?

Are these messages that you also receive? For me, this was the first time.
I didn’t click anywhere and threw the mail in the trash bin.
Looking forward to your responses.

When you tested an IFRAME using your site as the source what happened?