{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreifo6qxdodbsyztroswjo63r2jhmv7tdda5geng2dpsnrs7zteitny",
    "uri": "at://did:plc:haakkg7y3xdghcdmprxeexso/app.bsky.feed.post/3mnxlqquii2d2"
  },
  "path": "/t/why-would-a-big-e-mail-provider-choose-to-allow-spoofing/38453#post_1",
  "publishedAt": "2026-06-10T20:21:20.000Z",
  "site": "https://discuss.privacyguides.net",
  "tags": [
    "https://www.fastmail.com/bug-bounty/"
  ],
  "textContent": "I’m learning about e-mail security. I know Fastmail isn’t Proton, Tuta, or Mailbox in security, but why do they choose to allow people to send e-mails as them?\n\n> “We are quite aware that users can set arbitrary From addresses on emails, that our SPF records allow arbitrary hosts to send email as our domains, and that our DMARC policy is not enforcing passes. These policy decisions are by design, and we track the actual sender in a separate header.”\n\nThis is from  https://www.fastmail.com/bug-bounty/ .\n\nIf we check their DMARC, they indeed have `p=none` , instead of `quarantine` or `reject` configured in their DMARC.\n\nDoes anyone have a clue what they mean by “tracking sender in a separate header”? Does that protocol have a name? Why doesn’t a mail provider just have restrictive SPF and DMARC policies?",
  "title": "Why would a big e-mail provider choose to allow spoofing?"
}