[mnw21cam]

My stock reply to this used to be that you can send emails from anyone - who the email is sent from is not authenticated.

It's a little less true now with some of the newer protections, but only today I received a fairly subtle spam/scam supposedly from the main email address of a major retailer, so I think it's still sensible to never every trust the "From:" part of an email.

[saghm]

Sure, but they could just sent a link back to the same address with a form to fill out the complaint, or even just a phone number saying "call this number to speak to customer service about the issue you're having". From a technical standpoint, it's not hard at all to invert things to use the address as a recipient in a way that confirms that someone is able to access the email sent to it. A company like Experian that claims to have info on literally a billion people would be silly not to recognize that their scale is going to occasionally end up with mistaken contact info, so if they cared at all about the quality of their data, they would have some sort of system established to handle this.