[florent42]

If you are talking about SPF and DKIM, none of them verify the sender. The former indicates which IP adresses are allowed to send a email from for a specific domain name. The latter lets you verify that the email originated from the domain. But not from the sender itself.

If you were talking about PGP signatures, ignore my previous words :)

The issue you see in SIP predates voice over IP. PSTN suffers from the very same issue.

[im3w1l]

Well if you get an email from xxx@somemail.com and the SPF and DKIM check out then it means that the mail really came from somemail and they have had the chance to verify that xxx is authorized to send the email with e.g. a password. The system is not 100% foolproof but it's good enough when working with reputable or selfhosted email services. It's way, way better than "anyone can trivially pretend to be anyone"