This might be a stupid question (or set of questions), but here goes...
Why do I occasionally receive messages from people spoofing my own mail address or one bearing my domain? Given that there are measures in place to prevent others receiving messages from people spoofing my address or addresses from my domain, using things like DKIM and SPF (the latter I just enabled after forgetting to do so when migrating from Webfaction), why do the Opalstack mail servers seem to deliver such spoofed messages to me? Would it not be natural to not allow outsiders to send messages "into" my domain when those messages can only genuinely originate from my domain? Does the incoming mail processing rely on general DKIM or SPF usage instead?
The headers include stuff like this:
Received: from ip-5-172-235-187.multi.internet.cyfrowypolsat.pl (ip-5-172-235-187.multi.internet.cyfrowypolsat.pl [126.96.36.199]) by mx2.us.opalstack.com (Postfix) with ESMTP id 31E2624E11E for <ME@MY_DOMAIN>; Mon, 6 Sep 2021 07:46:15 +0000 (UTC)
ME@MY_DOMAIN replaces my actual address, of course. Usually, the
From header contains my address or a one (potentially fictional) in my domain, and the
Return-Path header may or may not feature an address in my domain.
I remember asking the same set of questions at my employer, having received yet another fake "e-mail administrator needs your password" mail, wondering why any mail server would take receipt of a mail from outside the domain bearing various details purporting to be from the domain, and I got a rather angry "do not pretend you know our job better than we do", but I would hope that this question might have an answer, especially since it all rather violates common sense.