I have been a long time customer of a local, long running and well respected internet service provider.<p>I recently found that they allow email sender spoofing. I am in discussion with them to determine the details but so far the facts are my address was spoofed and they said everything is working as intended. I did not expect this, especially given this provider's reputation. I'm surprised, shocked, and upset.<p>My question: is it unreasonable of me to expect my email provider does not allow email sender fraud?<p>Edit: I appreciate the attention and I'm sorry I was not specific.<p>The provider accepted and delivered a message that originated outside of their domain where the sender and recipient is in their domain.<p>In other words, provider is Example.com, my address is tim@example.com, they delivered a message from outside of their network that had tim@example.com as sender and recipient.
> My question: is it unreasonable of me to expect my email provider does not allow email sender fraud?<p>Yes, because you expect something that is not possible given how SMTP email is designed. Sender spoofing is trivial to perform and unless the recipient has sufficient technical knowledge to detect the spoof (they don't need much technical knowledge, but they do need some) the recipient will not know one from another.<p>You validate that your emails did in fact get sent by you by GPG (<a href="https://www.gnupg.org/" rel="nofollow">https://www.gnupg.org/</a>) signing them when you send them, and having the recipients know enough to be able to verify the GPG signatures.
In my opinion, it is reasonable to expect them to either validate you own the domain you are sending from, or to handle misuse aggressively. Perhaps they painted themselves into a corner in their infrastructure design and lack good engineers to resolve this? They might not admit this.