The various mechanisms to try to block forged email addresses (whether just for spam or for more nefarious purposes) still have holes in them, according to <https://www.theregister.com/2023/02/19/forwarding_email_security/>. For example, you can create an account on a major email service like outlook.com, enable forwarding, and put a spoofed address into its “allow list”. Then when a message comes in for that account purporting to come from that spoofed address, it bypasses the authenticity check and goes straight out again, with the spoofed from-address. And this one weird trick† works--or used to work--for a number of other major email providers, as well. To me, the whole plethora of these message-validation mechanisms--SPF, DKIM, DMARC, ARC and who knows what else--is just bewildering. Which is why I have yet to implement any of them for my own domain. What’s worth doing? Where do you start? †So sue me.