docs: Add note about sender validation/spoofing

Authenticated users are intentionally allowed to send email as other users or
domains. This is a design choice made to balance simplicity of operation and
use.

However, it can be surprising and it's not obvious, so this patch adds a
note to the documentation about it.

Thanks to Matěj Volf for suggesting this improvement!

Fixes: https://github.com/albertito/chasquid/issues/62

docs/flow.md

@@ -20,12 +20,31 @@ processing, in particular how messages flow through the system.
     - If the destination is local, check that the user exists.
 - Client sends DATA.
 - Client sends actual data, and ends it with '.'
-    - Run the post-data hook. If the hook fails, return an error.
     - Parse the data contents to perform loop detection.
+    - If the sender is authenticated, DKIM-sign the email with the
+      corresponding key.
+    - If the sender is not authenticated, verify the DKIM signature (if the
+      email has one).
     - Add the required headers (Received, SPF results, post-data hook output).
+    - Run the post-data hook. If the hook fails, return an error.
     - Put it in the queue and reply success.
 
 
+### Authenticated mail, and email spoofing
+
+By default, authenticated users can send emails as any other user or domain.
+For example, you can authenticate as `a@a`, and send email as `b@b`.
+
+This is a design choice made to balance simplicity of operation and use.
+
+Users who want to be strict about "MAIL FROM" or even "From:" validation can
+add additional checks in the [post-DATA hook](hooks.md).
+
+In the future, chasquid may get some option to be strict about it by default,
+or on a per-domain or per-user basis. But for now, using a [post-DATA
+hook](hooks.md) is the best way to make chasquid more strict about this.
+
+
 ## Queue processing
 
 Before accepting a message: