Why would a big e-mail provider choose to allow spoofing?

I don’t work for Fastmail, so I can only speculate as to why they would make this design choice, but my opinion is that an email provider might take this stance because they want to remain interoperable across a wide range of use cases. For example, if they were to enforce a strict DMARC such as p=reject, it could have a negative impact on users who might be using the service with some sort of external forward. What they are likely doing is using the sender header to see the actual authenticated email address that sent the email out. They can then have their systems check the actual authenticated session against the email address that it set in the FROM field. If they don’t match up, it would be pretty easy for them to detect and block this. The benefit of a scheme like this is that they can ensure that they don’t unintentionally block perfectly legitimate supported use cases while also internally maintaining the integrity of their service by identifying and blocking spoofed emails. Like I said, I don’t work for that company or anything, but what I have presented does make a lot of sense and is likely why they have the service configured in such a way. In all honesty, if this didn’t work, their IP reputation would be so low that they wouldn’t be able to function as a legitimate business.