Re: "Do not enable macros on documents received via email, unless the source is verified"
When that protocol was younger, it still contained all of that, but it didn't check any of it. I could open a connection to a mailserver, submit a message with any headers I liked, from any address I liked, with a long fake history if I pleased, and all that would be available afterward to try to track me down would be the IP address with which I connected to the first real server in the chain.
Nowadays, there are a lot of patches designed to prevent that from working, and most servers actually check those. However, it doesn't stop people from trying the old ways. I've run my own mailserver at times, although I don't now, and looking at what bots tried to do was instructive. Several types of attack were attempted, including many spoofed emails and some attempts to get my server to act as a relay for messages going to others. Fortunately, relay attempts were rejected and spoofed emails went to a separate mailbox for curiosity until I just sent them all to /dev/null. Still, not only can a mail client be manipulated to show an inaccurate source, headers can be spoofed if your server isn't careful.