[db48x]

It is trivial to connect to the mail server for the recipient and start a message using someone else’s address as the envelope “From” address. The email delivery protocol offers zero protection against forgery.

However, for the last decade or so most people’s email servers have been configured to look for DKIM headers on the email itself and then verify them against a public key published via DNS. Since you don’t have the corresponding secret key, you won’t be able to add a DKIM header to the email that can be verified and your email will be rejected. Leaving off the DKIM header will also get you rejected by most recipients.

It is useless to try to forge the sender address these days. SES won’t even let you try; it will simply not send any email which is “from” an address you don’t control.

Don’t try to create a service which sends email on behalf of other people; it won’t work.

<https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail>