How is it okay for sendmail to send emails from any domain?

Question

I just tried my hands with the sendmail function as documented in Mail::Sendmail

I saw that I was able to send mail with a userid from any domain as long as I have an SMTP server running on localhost. How is this okay? or am I missing something?

For instance, I was able to deliver emails with from address such as <myname>@microsoft.com and it did deliver the same way onto my gmail inbox. It did not even get into any junk folder/

Answer 1

Congrats: you've just discovered email spoofing! :)

SMTP does not perform authentication of the sort you imply that it should, e.g. verifying that someone is authorized to send mail from a certain domain -- so anyone with a machine who knows how to run sendmail can do this.

Most anti-spoofing measures rely on the owner of a domain (e.g. microsoft.com) doing something which amounts to authenticating whether a message is really from them. For example, they may list every domain they normally send mail from; that's roughly what Sender Policy Framework does.

If the recipient's server gets a message purporting to be from microsoft.com, it can check to see if that domain lists the server that sent the message. If it doesn't, it will likely increase the probability that it's rated as spam.