On Thu, 10 May 2018 09:55:00 -0500 David Jones wrote: > On 05/10/2018 09:39 AM, RW wrote:
> > Microsoft has a list of domains it hosts and a list of hosted > > domains (and/or its own addresses) tied to each account. Given how > > much reliance MS place on DMARC's preventing spoofing, and how easy > > it would be for them to prevent one user spoofing another's domain > > on submission, I'd be very surprised if they allow it. > > > > They do. I saw an example a few weeks ago. The very fact that you are citing just one a few week ago strongly suggests that they don't. > > Paul Stead claims to have seen it, but it's important to positively > > identify it as spoofing and not hacking. > > > > Not sure what the difference is from a mail filtering perspective. The difference is that if domains that include Micrsoft's SPF are as wide open to spoofing as you suggest, they shouldn't have def_whitelist_auth entries.
