We've had long conversation with Mocrosoft regarding this, al lthe emails are available on the website. Their position ranges from "this was by design" to "we'll change the documentation" to "you're wrong".

They however have never answered the question as to why their client is the only one that does not perform that basic, simple check... very strange considering that their own Outlook Express instead works perfectly by flagging the message when the digital signature does not match the actual sender...