I'm still wondering what Posterous plans to do when they reach enough of a critical mass that spammers will actively try to impersonate existing accounts. Generalized, non-sender-server-enforced sender authentication does not exist. That's why SPF and DKIM came along ... I'm sure they've had to pour over this. Anyone have a link on design/discussion?