I know that I should not rely on the email display name which is easily spoofed. Isn’t it enough to check that the email sender’s domain ends with “.gov.sg”? Why do I still need to check that my email service provider implements the needed protections?
It is not sufficient to check that the email sender is from an email domain that ends with “.gov.sg” as a scammer can easily forge the email address with such an email domain to impersonate trusted senders (eg. you get an email supposedly from “customer department <customer@cpf.gov.sg>” . However, such spoofed emails can be detected by email service providers which have the security measures in place to verify if emails are from a legitimate sender (CPF Board), and reject or quarantine emails that do not pass verification checks.