I can't understand why anyone would give any entity access to their email, it's really baffling.
I personally see LinkedIn as horrible, and deleted my account long ago. They don't let you restrict who can view your profile, and they allow people to remain anonymous. For anyone who cares about Privacy, this should be a huge no-no.
I thought LinkedIn has always marketed itself as a professional networking service and thus perceived it as public area open to corporate scrutiny... it's not healthy to mix "social" with "professional" in situtations dealing with corporate employers.
Agreed, it's incredible, and utterly dumbfounding, that people would simply turn over access to their email like that. The only explanation I can imagine is that other (younger?) people just don't take email as seriously.
Isn't it more likely that they just sent the emails themselves but used his email as the "Reply To" address? A lot of software systems (SalesForce, Hubspot, etc.) do that too.
Errm no, a reply-to header is not the same as a sender envelope. Spam filters will flag emails that are faking the sender envelope. Spf is also only checking sender envelope. A reply-to can generally be what ever you want, same for from header... So linked sends email with from and reply-to headers set with your email, but sender envelop is from their server. So email appears to come from you, but was sent from linked in server, which is setup to pass spf test so does not get flagged by spam filter. Check the headers in the emails raw source, and you will see what i mean
It appears the parent comment I was replying to got edited after I posted this. Thanks TylerJay for completely changing the meaning of your comment without any notice.
The original commented suggested that they sent the email themselves as if it had come from the user, not merely setting Reply-To.
That would only be true for only some recipients (by far not "everybody") only if Google's SPF record forbade other SMTP servers with -all. It doesn't, it uses ~all soft-fail.
Why? Precisely because of this: there are lots of perfectly legitimate situations when a third party sends email on your behalf.
Moreover, if LinkedIn signs their outgoing emails with DKIM, that would be a positive signal for a spam filter (and e.g. Gmail would show such mail as "sent via LinkedIn" or something to that effect).
Sounds like you know more about this than I do. I will defer to your greater knowledge.
Although "there are lots of perfectly legitimate situations when a third party sends email on your behalf" strikes me as being rather wrong. I cannot think of a single reason why anyone else should be sending email that claims to be coming from my email address. Sending email that lists me as a reply-to, sure. But as the sender? Not a chance.
It's common in enterprise products where the user's first action is in a non-email.
Like I've uploaded version 1 of the plans, added some notes and the system needs to send out an email to everyone, I did the action, it's coming from me, not the system.
You did the action, but that does not ever justify sending the email with an envelope claiming it came from you. Because you did not send the email. It could certainly put you as a Reply-To on the email, and it might possibly justify putting your name on the From line, but actually claiming to have been sent from your email address is wrong.
The pizza boy doesn't ask for your home keys it EVERY TIME he brings you a pizza.
Yet LinkedIn goes far beyond that. LinkedIn is clearly engaging in "dark ui patterns", hoping to trick you into giving those keys (and using them too!) when you are not mindfull.
Yeah, I'm always weary of allowing any app to send emails on my behalf, unless it's something I've put together myself (eg email alerts for internal stuff breaking, etc).
The fact that they requested access to your email account should have been warning enough.