[upofadown]

>Anyone can put anything in the “From” field of an email.

... and then the article goes on to talk about SPF, DKIM and DMARC which authenticates only the domain part of the "From" field. So just the reputation of the email server, not the entity that sent you the email. If things get as bad with AI generated deception as suggested by the article this wouldn't be good enough, we would have to start signing our emails again. Emails from entities we don't know would have to be treated with a high level of suspicion.

I am not convinced that things will for sure really get that bad. How can a AI figure out the email addresses of our correspondents? They are not magic.

[jcgl]

You’re mistaken: DKIM always signs the entire From field. Signing is done on the MTA, so yes, it is “the reputation of the server” like you say, but “server” can be a relatively granular thing here, using different DKIM selectors for different addresses, MTAs, etc.

[upofadown]

A signature is not authentication in itself. It is only such if the signing entity is in some way restricting what it is willing to sign. The domain part of the email address in the "From" field is so restricted. The signing MTA will only sign domains that it controls. Otherwise it would suffer a loss of reputation. The user part of the address is not so restricted.

The name part of the email address is also part of the same signature but is not being authenticated either.