The “send on behalf of” configuration from Exchange is not respected by Dynamics. No application should be able to bypass the rules set on the Exchange server. So for example if a user doesn’t have explicit permissions to allow it, Dynamics ignores that fact and allows users to add the account in the D365 configuration “on behalf of” field.
Anybody that have Dynamcis FO, in a tenant can cross domains send mails on behalf of anybody/any domain in the tenant.
Adding security in dynamics shouldn't be the solution, as the root of this behaviour is that Exchange must be respected.
ALL of the users (for example the admins) from different environments can send mails with no limitations. No setup is needed, only activate exchange as a option, no validation, no login or approval needed.
As per best practice from Microsoft SysAdmin is needed in D365 FO DevBoxes, and often the solution for Debugging. So a lot of accounts can send those emails.
This is a security issue, as any person can add an important account of the company as sender email and try to impersonate him. The emails even reach the real mailbox for that sender. It can lead to financial loss/scams.