Further, the reason not to always require it is that it can…
Further, the reason not to always require it is that it can be a PITA to support. AWS does not support it for instance. I think we should only require it if it actually makes a security difference, which it does in the case of third party hosted paymails.