the other side of this coin is that email is *really* easy to hack

the capriciousness of the system is a response to that

I'm not much of a hacker, but I've been able to send fake emails a couple times using only reverse DNS records:

1. in 2010 I made fake posts as my university's security prof in a Facebook group. FB had a feature where if somebody emailed them, it would get converted to an FB post. and all they were checking for security was if a reverse DNS record existed for the outbound email server

2. in 2021 I randomly found myself at a WeWork whose Wi-Fi IP address had a reverse DNS record. I was able to send email to arbitrary Gmail accounts that showed up as coming from whitehouse.gov

another story about spoofed emails getting through Gmail filters: https://x.com/bcrypt/status/1847100504830365805

imo email wouldn’t be such a federation counterexample if it was built with cryptographic signatures from the get-go

Agree.

But, also this is also an example where Google could have used its marketshare dominance in the space to make email safer for everyone by adopting something like S/MIME as a default. Instead they chose more growth and surveillance.

Cryptographic signatures would indeed provide stronger authentication, but email's fundamental design is based on trust in the sending domain, not cryptographic proof. A decentralized solution is still needed to replace this trust-based model.