Email is very similar to a real-world letter and has a lot of crossover with the real-world postal service. The sequence of mail servers it goes through is not unlike the way a letter will be dropped into a post box and go through several steps to reach a person.

An email is an envelope. The message is the letter inside. On the front of the envelope, you write the recipient’s address. On the back, you write your address as the sender.

Well, just like a real letter, there is absolutely nothing stopping you writing anyone’s address as the sender. So you could pretend to be anyone you like. And because the return address is used by the email client to compose a reply, you see it pretty prominently. So if it says it’s coming from someone you trust, you’re more inclined to trust the contents and do what they say, which is how phishing works. Just this week at work we had a phishing campaign pretending to be from our internal security team (nice touch).

The only way to stop this would be for someone along the route to look at the envelope and say, wait a minute, that letter is coming from the wrong place to be from that sender – this is basically how SPF works.