Re: It's 2017 and you can still be pwned by a forged email header
Actually there is a way to validate the From header. If you try to spoof an email from a @paypal.com address to a gmail user it will not only put it in spam, but if you open it there will be a notice on the top telling you it is not the real paypal.com.
This is not some special agreement between gmail and paypal but is based entirely on open industry standards - I have implemented the same anti-spoof protection for some of my own domains. SPF validates the envelope address (allowing a server to "take responsibility" if it wants), but DMARC validates the From address (meaning it validates the claim about who sent it).
The only case where you can't validate an email sender is if users are allowed to use unrelated third party SMTP servers (so some public email providers can't require it), which I certainly hope does not apply to an official police email address.