Also on our service desk we commonly get the question how it is possible that e-mail is sent with as sender their own email address.
The awnser is actually pretty simple: The e-mail protocol SMTP (protocol which the e-mail is send) doesn't know a check on senders address. That means everyone can send an e-mail with an random sender address. Just try to change your e-mail address in a random other address in your e-mail program under the e-mail account settings and send an e-mail. High probability that it comes easily to the addressee. Unfortunately, they haven't thought of that at the development of the SMTP protocol in 1996. Probably because they had not foreseen at the time the whole phenomenon of spam.
Because the SMTP protocol has been implemented so often in so many different software, it is impossible to change it without causing a lot of problems.That's why there are "extensions" written on the POP3 protocol, which have no impact on the basis of the SMTP protocol.
Sender Policy Framework
An example of such expansion is the Sender Policy Framework (short SPF). It allows the administrator of a domain to specify from which Internet connections email should be sent to a domain. This is done by publishing the IP addresses of the authorized Internet connections. It is then possible for the receiving mail server to check the list of IP addresses or IP address where the email came from, if it is authorized to use the sender's address.
SPF is used on the receiving mail server, usually as part of the spam filter. If the IP address is not in the published list of the relevant domain, then the mail gets a higher spam score. At too high spam score the filter will actually mark the mail as spam.
Technical background SPF
For the techies: The list of authorized IP addresses are published through the DNS servers of the domain in the form of a TXT record. On the website openSPF.org you can read a detailed explanation of what is allowed to stand in a TXT record. A TXT record can be made via SPF wizard. That record will then be put in the DNS servers of the domain. In bHosted.nl control panel SPF Wizard is built in, that the record can be put directly in the DNS servers.