Why would a big e-mail provider choose to allow spoofing?

Racoon: > What they are likely doing is using the sender header to see the actual authenticated email address that sent the email out. They can then have their systems check the actual authenticated session against the email address that it set in the FROM field. If they don’t match up, it would be pretty easy for them to detect and block this. > > The benefit of a scheme like this is that they can ensure that they don’t unintentionally block perfectly legitimate supported use cases while also internally maintaining the integrity of their service by identifying and blocking spoofed emails. Maybe I misunderstood you here. However, the DMARC entry in the DNS Zone of E-Mail Provider A does not help A to prevent incoming spam. It is for E-Mail Provider B to know what he should do if an E-Mail from A arrives with failed SPF and DKIM. So it is not about recieving spam rather sending spam. And A can not do anything like scanning, because the e-mail that failed SPF and DKIM does most likely not come from their system.