Anything in an email message can be spoofed except for the headers that the recipient's mail server puts there. Just because it says it originated somewhere or that it passed through certain mail servers doesn't mean it actually did. Mail can be sent by telnetting to port 25 on a mail server and typing the commands manually. Since that is possible one could make an email message look like it routed through any mailserver one wanted. The mail server that the sender sends the message to (and any downstream servers) would also add a received header which the malicious sender would not be able to control.