A coworker received a phishing email linking to some site that was sent from a company email. However, this email is not an actual email, but rather a group (so send the email to the group and it forwards to members of the group). I know that this is easily done by masking your email or creating an email that looks the same but is a character off..however how does one spoof an exact email clone from an account that isn't really an account? I know for Gmail for instance you have to verify you own that account before you can mask yourself for it, and I would assume it is like that for other email accounts on the web as well.