As such, the ability to reply to the RFC5322.From tells you almost nothing
about its legitimacy. ...
I seem to recall common use of From: field validation back when that
capability was introduced into open source sendmail as an anti-spam tactic,
though it was never supported by the vendor directly. Maybe it's less
common now.
If people start rejecting because .INVALID is on the From: line, it
is the work of a moment to adjust it to something like this:
From: Marissa <marissa(_at_)yahoo(_dot_)com(_dot_)not(_dot_)sp(_dot_)am>
and the work of about three moments to spin up a fake MTA that accepts
any RCPT TO and rejects at DATA. Or I suppose it could just be an
open relay.
This of course trains people to be phished, by telling them that
<security(_at_)paypal(_dot_)com(_dot_)some.thing> is the same as
<security(_at_)paypal(_dot_)com>.
R's,
John