How domain names work in a Windows 2008R2 SMTP Server?

Question

I'm new to SMTP servers and I'm confused because after installing my SMTP server on an EC2 instance, I was able to send emails from domains that were not mine. Here is what I did:

1. Launch a free Amazon Micro EC2 instance-Windows Server 2008R2
2. Install SMTP Feature and configure the Connection and Relay to only allow my own server in the list (127.0.0.1), also set Authentication to Anonymous.
3. Test sending emails from the EC2 instance to my personal @gmail account.

Notice that this is a single EC2 instance with a public IP, I don't have any domain registered yet. At this point I'm receiving emails without errors copying manually a .txt file into the "mailroot\pickup" folder.

I have tried changing the "From" address (in the .txt file) and they work with test domains that I don't have registered, I even tried sending one with a known domain such as "dummyAddress@coursera.org" and it worked, even though my server has nothing to do with coursera.org domain. I have a few questions:

1. How is it possible that I can send emails on behalf another domain? Shouldn't be be a DNS server out there that recognizes that my Server's IP doesn't belong to an "A" record for "coursera.org" or something like that?

Using the "Show Original" option in the email received, I noticed this text: Received-SPF: fail (google.com: domain of dummyAddress@coursera.org does not designate [MY.Server.IP.Address] as permitted sender)

2. Once I buy my domain how can I attach my domain name to the SMTP Server I setup? Is it a matter of creating an A record on the hosting platform an pointing it to the EC2 instance's IP address? Or I need the "A" and the "MX" record, both pointing to the EC2 instance's IP? Do I also configure the "SPF" record on my side?

3. If I also wanted to reply from my domain address such as "support@myDomain.com", do I also need to setup a Mail Server(such as Exchange)?Or the domain registrar grants me an email server?

Thanks in advance for any reply, at this point I got the SMTP working but I want to understand how the SMTP works.

After receiving a downvote I wanted to clarify that I used the @coursera.org as an example and I have been using my own @gmail account to test my SMTP server, I'm not trying to setup this SMTP to send SPAM or cause harm.

Answer 1

Regarding your questions about SPF:

SMTP wasn't originally designed to protect against people sending email claiming to be from domains they don't own.

The Sender Policy Framework (SPF) was designed to combat that very problem. SPF is a simple text field that you can add to your domain's DNS records which specifies the names/IP addresses of the mail servers who are allowed to send mail from your domain. For example, if you execute nslookup against my domain, bitcrazed.com, you'll see the following highlighted record returned:

nslookup -type=txt bitcrazed.com
...
bitcrazed.com   text =

    "v=spf1 mx a ~all"

This tells anyone receiving email from bitcrazed.com, that if its sent by any server other than my mail exchanger or a server with a bitcrazed.com domain, it's likely junk.

Regarding setting up an SMTP server: Because you'll want to protect email sent on behalf of your domain, and will need to state the IP Address or DNS name of your server, you'll need to host your SMTP server on a static public IP address or a DNS name that is automatically updated when your Windows instance's IP address changes, which is likely when hosted in the cloud. Some cloud hosting services operate a DNS service too which keeps your domain records in-sync with your hosted VM's, websites, etc. Check with AWS about this.

Once you've got THAT sorted, you should be able to send SMTP mail. However, as you're starting to realize, handling email reliably and securely is something of a minefield. Instead of running your own server, I'd strongly recommend using a service like MailChimp etc. who can do all the heavy lifting for you for a reasonable price.

HTH.