[sacrosanct]

If the shop is doing DMARC[0] & DKIM[1] this is a non-issue

[0] https://en.m.wikipedia.org/wiki/DMARC

[1] https://en.m.wikipedia.org/wiki/DomainKeys_Identified_Mail

[boronine]

That DMARC link talks about "From: rewriting" with a similar example using "via". I suppose this addresses the "spoofing" part of my question, thanks! I would still like to know more about this practice in transactional emails.