i think it is not 100% necessary to let domain level can check/track it,
of course,both domain and system can check it,it is best.
and i think change/set signature is not good way,
because all the sender may use the same default signature or no signature.
but i think it may add some tag or other way for system admin to track/check it.
(but i think the only way to check is archive,by the way,add to header may be the only way)
the reason i ask it,
it is because when some bad or issue reply,
domain or system admin can track who sent the mail,
or if there is no related log,
when no one recognize they sent the mail,
it will be no way to find the correct sender.