IDK. First thing I say in every single security talk I give is "The Sender Address displayed in an email is just what the sender put there, nothing more". If the email needs some kind of validation it needs to carry that token itself (and here begins my long graybeard rant on why we should all be digitally signing emails as a matter of course).