The spoofing is not detected by email servers, and can thus circumvent email security mechanisms such as DMARC.

https://www.infosecurity-magazine.com/news/mailsploit-allows-spoofed-mails/