Short version:

When the basic framework of what has become email was created back in the 60s and 70s, they had no idea that it would eventually be put into global use. They made no real effort to put abuse prevention into it, because the idea of using an academic messaging service for fraud never occurred to them. What we call ‘spoofing’ – faking the sender data for an email to unsuspecting recipients – was not something email’s initial designers had in mind, as messaging required you to have some level of access to the recipients system, which very few people did. As email use grew, it’s first widely used protocol was called [SMTP](https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol) – Simple Mail Transfer Protocol – and it’s developers kept the lax security measures of the older system, but removed the required access to the recipient. That protocol is what we still use today, 40 years later.

Longer version: they’re working it. Over the few decades, a number of measures have been widely adopted to strengthen security – [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) (sender policy framework) was the first big one, but has proven not to be enough. Since then, we’ve seen [DMARC](https://en.wikipedia.org/wiki/DMARC) and [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) come along, but until all email services everywhere are using all of the above, spoofing will always be possible. And even once it’s gone, we’ll still be left with the problem of ‘legitimate’ servers and addresses using similar names to existing domains in order to fool people. In those instance, a little ‘I am who I say I am’ flag would still be accurate, they just aren’t who *you* think they are.