[escalt]

Well, clearly they sent it to you, so they're distributing the images. The E-Mail headers, especially if they contain a dkim signature, are likely sufficient proof for that. If not, the provider they used might be able to back your claims up. If you were using some E-Mail provider instead, those images would still land on your client devices, and the situation would be almost the same. And of course let a lawyer do the talking

[jrootabega]

Ah, but they send and report it anonymously, mitigating the risk to themselves. And the popular conception is that once that content is on your devices, it doesn't really matter how or why it got there. You're effectively ruined. That may be inaccurate but it's still a popular idea.

And re: client devices, with a provider you don't control, you at least have the option not to download or access content you are not confident is safe. If you self-host, just accepting the message is storing the content on your device.