Why would a big e-mail provider choose to allow spoofing?

I’m learning about e-mail security. I know Fastmail isn’t Proton, Tuta, or Mailbox in security, but why do they choose to allow people to send e-mails as them?

“We are quite aware that users can set arbitrary From addresses on emails, that our SPF records allow arbitrary hosts to send email as our domains, and that our DMARC policy is not enforcing passes. These policy decisions are by design, and we track the actual sender in a separate header.”

This is from https://www.fastmail.com/bug-bounty/ .

If we check their DMARC, they indeed have p=none , instead of quarantine or reject configured in their DMARC.

Does anyone have a clue what they mean by “tracking sender in a separate header”? Does that protocol have a name? Why doesn’t a mail provider just have restrictive SPF and DMARC policies?

I don’t work for Fastmail, so I can only speculate as to why they would make this design choice, but my opinion is that an email provider might take this stance because they want to remain interoperable across a wide range of use cases. For example, if they were to enforce a strict DMARC such as p=reject, it could have a negative impact on users who might be using the service with some sort of external forward.

What they are likely doing is using the sender header to see the actual authenticated email address that sent the email out. They can then have their systems check the actual authenticated session against the email address that it set in the FROM field. If they don’t match up, it would be pretty easy for them to detect and block this.

The benefit of a scheme like this is that they can ensure that they don’t unintentionally block perfectly legitimate supported use cases while also internally maintaining the integrity of their service by identifying and blocking spoofed emails.

Like I said, I don’t work for that company or anything, but what I have presented does make a lot of sense and is likely why they have the service configured in such a way. In all honesty, if this didn’t work, their IP reputation would be so low that they wouldn’t be able to function as a legitimate business.

Maybe I misunderstood you here.

However, the DMARC entry in the DNS Zone of E-Mail Provider A does not help A to prevent incoming spam.
It is for E-Mail Provider B to know what he should do if an E-Mail from A arrives with failed SPF and DKIM.

So it is not about recieving spam rather sending spam. And A can not do anything like scanning, because the e-mail that failed SPF and DKIM does most likely not come from their system.

That note is mostly about mail that goes out through Fastmail, not random mail already sent from somebody else’s server. They can know the authenticated account/session that submitted the message, even if the visible From: is something else, and add internal or trace headers for abuse handling. That does not make the visible From trustworthy for recipients.

The reason for p=none is usually compatibility: forwarding, mailing lists, old aliases, and people using multiple services break more often with strict DMARC. It is a tradeoff, not really a security upgrade for recipients. If you want a domain that cannot be spoofed as easily, look for SPF/DKIM aligned with DMARC quarantine or reject, but expect more delivery edge cases.

That is quite insane.