When I first started playing around with how SMTP worked over 20 years ago, I remember being somewhat surprised how easy it was to make an email appear in someone else's mailbox that looked like it came from anyone at all.
These days, SMTP servers do tend to be somewhat stricter about forwarding on emails that are not from addresses they are configured to handle, but the fact remains that, for instance, in my hotmail account, I receive at least once a week an email that purports to be from apple.com or anz.com.au (a local bank) etc. etc., with nothing at all in the email that suggests it did not originate from a mail server owned by said organisation.
The obvious question is why is this still so broken, when it should be so easy to fix? If I browse on the web to https://www.apple.com, I'm given a pretty strong guarantee that what I'm looking at is legitimately owned and/or managed by Apple Corporation, but if I receive an email that says it's from support@apple.com there appears to be no such guarantee at all.
I'm aware there are protocols and standards for signing emails (DKIM etc.) but it seems they're so little used that few popular mail clients even bother to check for them.