The entire internet was designed to not require any sender to prove their identity. In fact all traffic, as it travels through the internet, “self reports” where it came from, similar to how you can write anything you want in the return address of an envelope. The people who designed it were scientists and hobbyists and not thinking about the internet getting so big, and so important, that it would be worth anyone’s while to lie about where traffic came from.

Email protocols were invented around the same time. As such, they trust the “return address” that the sender claims to be. That’s just how it was invented, and the internet is now too big for anyone to propose a single, more secure system, that everyone would agree to adopt at once.

Instead, people have had to layer in “proof of identity” technology over the top of a system that doesn’t require it. One way is via “certificates,” that work a little like signatures. By comparing the signature on the email (or any data in general) with the “official” signature on file in some central trusted authority, you can tell it came from who it was supposed to. Some email providers like GMail now try to do this automatically, but this really only works if both the sending and receiving parties agree on who the authority should be.