Email is absolutely broken...
Having just been stunned by a trivial cross domain spoofing gotcha pointed out during a penetration test, we secured *our* domain vulnerability with SPF, but once we understood the mechanism could scarcely believe how trivial email spoofing is if you control DNS/RDNS.
Currently email servers take the message being received as "the truth". I suspect it would be better if rather than the message being delivered, a notification was delivered, and servers then had to decide if they were going to retrieved the message from the email server of record for the domain... but that's a whole new ball game. I suspect the folks that conceived email and the standards around it would be/are shaking their heads at the way things have gone.
No point holding my breath for a "fix" tho