@figuerres: that's unfortunately the way things are. And we are just digging ourselves in a deeper hole by using (and abusing) old protocols in all sort of devices.

Mitigation is all we can hope for at the moment; for instance, I wonder if it wouldn't be a good thing to allow SMTP servers to reject messages unless they originate directly from one of the IP addresses of the sender's domain (something that is specifically forbidden in the current RFC). That alone would make the whole header spoofing business irrelevant and it would improve the effectiveness of blacklisting.