An authenticated SMTP user (e.g., user1@example.com) is able to send emails with a different "Mail From" address (such as user2@example.com), even though both addresses belong to the same domain. This behavior is undesired, as it allows users to impersonate other valid users within the domain.

Our goal is to prevent this kind of spoofing by enforcing a match between the authenticated SMTP identity and the actual sender address.