Email address is not enough. This one case was a coincidence.
"We had a specific problem with the way we dealt with SPF records. Dustin didn't set any up, and there was a specific way that Robin Duckett's email server responded that caused us to flag it as a false negative for spoofing."
I think he said that: The blog owner's email host did not provide SPF protection; the intruder's email host appended some headers that lured Posterous to classify the email as genuine.
So, having access to the blog owner's email headers would not have provided any additional advantage to the intruder.
"We had a specific problem with the way we dealt with SPF records. Dustin didn't set any up, and there was a specific way that Robin Duckett's email server responded that caused us to flag it as a false negative for spoofing."