According to this
, it's not too hard to do. I'd advise being careful in the example you gave though. I often get spam (used to, spamassassin does a good job) whose from address is in one of my domains. It seems pretty common for the from address to be the same as the to address with spam.
At this stage, SPF
usage doesn't seem to be common so I just rely on spamassassin identifying the contents.