Thread: Why no SMTP Auth?
View Single Post
Old 8 Oct 2019, 11:45 AM   #3
n5bb
Intergalactic Postmaster
 
Join Date: May 2004
Location: Irving, Texas
Posts: 8,929
Quote:
Originally Posted by TheJapanese View Post
...Why does Fastmail not use SMTP Auth within it's service?...
I don't understand what is bothering you. As the previous post describes, Fastmail does require SMTP Authentication (over a secure connection).
  • This means that someone attempting to use the Fastmail SMTP outgoing email server must authenticate using a password.
  • Even better, Fastmail forces you to use a unique App Password for every email client you use. If you lose your phone or PC with an email client installed, you can disable that one App Password so that one device is disabled from sending or receiving email.
  • You can choose which services that device can access. So you can enable one device to access your Fastmail calendar but not send or receive email.
  • See: https://www.fastmail.com/help/clients/apppassword.html
But SMTP Authentication has nothing to do with your complaint:
Quote:
Originally Posted by TheJapanese View Post
...It would be much more secure as I can be sure, that no one else is using my domain/alias to send mails from...
The existing email standards allow anyone to use your domain/alias in the From field of their emails!
  • There is currently no way to prevent any SMTP sending server from generating an email using any From address, including one at your personal domain.
  • However, the destination (receiving) server can choose to reject connections from known insecure sending servers.
  • Spam filtering systems at the destination server can also use sender authentication (which has nothing to do with SMTP authentication) in an attempt to verify that the email was sent by the intended sender, and there are several current and new methods to do this. See:
    https://www.fastmail.com/help/techni...ntication.html
  • Fastmail supports some of these sender authentication standards on both the sending and the receiving end. For example, if you host your domain with Fastmail they can provide support for sending messages with features such as:
    • DKIM
    • SPF
    • DMARC
  • For example, I host my domain (and DNS records) at Fastmail. When I send email through the Fastmail outgoing SMTP server, DKIM proves that my message was not corrupted (accidentally or purposely) during transmission and relays. SPF allows me to specify that only the Fastmail SMTP outgoing servers are allowed to send messages From my domain without generating an internal warning at the receiver. DMARC allows me to specify that I want messages that fail both DKIM and SPF tests to be rejected - I can't force the receiving server to reject these fake messages, but I can instruct them that I want them to take that action.
So if you host your personal domain at Fastmail, it's possible to set it up so that you are doing everything possible to specify that others don't spoof your domain with fake emails. But you can't force other email servers to follow these standards.

Bill
n5bb is online now   Reply With Quote