Thee best  method for anti-spoofing is to have a three way handshake,
which the OK mechanism allows.  Anything else is suspect, as you have
already indicated via a mail clients RETURN ADDRESS e.g., such as found
in Eudora.

On one campus-announce only list, we seem to be able to deal w/ the
following setup

* default-options= NOPOST

and with authorized subscribers being altered by the list-owner via

SET listname POST FOR authorized_userid@node

This does NOT provide three-way handshake, but it is effective for *us*.
Non-authorized posters simply get a LISTSERV-generated (I believe from
the template) nastygram.

If you're getting spoofed messages, then you need to deal with that
out-of-band, along with strong institutional policies (if originating
internally).

YMMV

/Pete Weiss -- Penn State