FWIW, they did weigh in on this back in July 2016 saying it would be extremely valuable to check the from address against MAIL FROM: in the SMTP session. Then again in Oct. 2016 saying it wasn't a bug, but would add it to the feature request list with no ETA.
If anyone knows the addresses of the SM programmers, we could exploit this vulnerability to send them an email from Tim@smartertools.com saying that this issue is critical and needs to fixed ASAP. :) JJ
Seriously, we need to at least provide some mechanism to warn users that the message is from someone at the local domain, but was not authenticated and could be fraudulent. Technically, I would prefer that these messages be rejected as rarely do you allow others to send using your domain.
If you do use a service like Constant Contact that's allowed to send as your domain, then it should be whitelisted or entered as global trusted sender. It's a little extra work, but will protect your users. See this highly-rated (20 votes) idea to make the management of trusted senders easier: