There’s no limit on what you put in the “sender” line. Absolutely none.

The From field in email is pretty much on the honor system. You can put anything you want there, and the servers will happily send it.

This is why we have things like SPF (sender policy framework), DKIM (domain key identified mail), and DMARC (Domain-based Message Authentication, Reporting and Conformance) and why that message was in your junk folder rather than your inbox.

When your email provider receives a message from cheese_greater@lemmy.world, it looks up the DNS record for lemmy.world to see what IP addresses (among other things) are allowed to send email for users at lemmy.world. It compares those against the IP of the server sending on behalf of the user claiming to be cheese_greater@lemmy.world. If they match, the SPF check passes. If they don’t match, the check fails.

DKIM is also used to add a digital signature to each email originating from lemmy.world. The signature of the message is checked against lemmy.world’s public key (which is retrieved via DNS lookup). If the signatures match, the DKIM check passes. Otherwise, it fails.

Spam filters can then use the results of those to shunt the message to Junk if they don’t pass. The last item, DMARC, is an optional policy lemmy.world can configure to tell receiving servers what to do with messages that fail those checks. The most commonly used options are reject and quarantine (i.e. mark as junk)

You’ll have to review Admiral Patrick’s response for tech details, but it suggests your email provider isn’t following the security controls used to validate the email source and likely isn’t encrypting emails either.

The best thing you can do is switch or upgrade provider.

*Edit: they may be doing some checks, which is why it’s in junk, but I’d be a bit harsher for clear forgeries and deny them entirely.