In my organisation, everybody with a malicious mailserver can spoof an internal email address. Eg. Spoof the From: and From address: to [email protected] – the email gets delivered without getting into spam. I said that to an admin and he said that this is an feature because we have lots of services using this to send emails on behalf of our domain. We are using Exchange Online and some on-premises servers. In your eyes – is this a big security concern ? If yes, what would you say to that admin and what needs to be implemented to prevent this ?