Excerpts from Justin Skazat's message of Tue Jan 05 17:32:25 -0500 2010:
> > But that can already easily be done, I can just put
> > From: You <m...@example.com>
> > in my email headers.
> OK - what should I do about that? What's the general wisdom to help thwart
> that? Use the Sender: header? Both? Something more fancy?
If you are relying on From (or Sender) headers for access control, you have
already lost. Almost every part of the email header and SMTP transaction can
be faked by a malicious user.
If you want authentication, you'll need to either write your own layer on top
of it (e.g. PGP signing, secure per-user recipient addresses) or use a gateway
in front of your mail processor that does it (e.g. IP-based filtering in your
MTA, SASL auth).