diff --git a/synapse/api/auth.py b/synapse/api/auth.py
index 377bfcc482c48a52b64d8b6a3c429ada0efc06cd..5bd250992a07987d9b4495d347b7627fbd2b42e6 100644
--- a/synapse/api/auth.py
+++ b/synapse/api/auth.py
@@ -103,6 +103,9 @@ class Auth(object):
 
                 # Check the sender's domain has signed the event
                 if not event.signatures.get(sender_domain):
+                    # We allow invites via 3pid to have a sender from a differnt
+                    # HS, as the sender must match the sender of the original
+                    # 3pid invite. This is checked further down.
                     if not is_invite_via_3pid:
                         raise AuthError(403, "Event not signed by sender's server")
 
diff --git a/synapse/handlers/federation.py b/synapse/handlers/federation.py
index a393263e1e813d06608ddd949da498f85a3f2844..2d801bad476e280423cfded3aa8ce1db4ef2aebd 100644
--- a/synapse/handlers/federation.py
+++ b/synapse/handlers/federation.py
@@ -1930,6 +1930,9 @@ class FederationHandler(BaseHandler):
                 "Could not find invite event for third_party_invite: %r",
                 event_dict
             )
+            # We don't discard here as this is not the appropriate place to do
+            # auth checks. If we need the invite and don't have it then the
+            # auth check code will explode appropriately.
 
         builder = self.event_builder_factory.new(event_dict)
         EventValidator().validate_new(builder)