Why would a big e-mail provider choose to allow spoofing?

I’m learning about e-mail security. I know Fastmail isn’t Proton, Tuta, or Mailbox in security, but why do they choose to allow people to send e-mails as them?

“We are quite aware that users can set arbitrary From addresses on emails, that our SPF records allow arbitrary hosts to send email as our domains, and that our DMARC policy is not enforcing passes. These policy decisions are by design, and we track the actual sender in a separate header.”

This is from https://www.fastmail.com/bug-bounty/ .

If we check their DMARC, they indeed have p=none , instead of quarantine or reject configured in their DMARC.

Does anyone have a clue what they mean by “tracking sender in a separate header”? Does that protocol have a name? Why doesn’t a mail provider just have restrictive SPF and DMARC policies?