SMTP is one of the oldest Internet protocols that has survived to this day almost unchanged, and is still widely used today.
Protection against forgery of the sender is historically not provided for at all. Hence all the world's problems with email spam.
In practice, several protection mechanisms have been devised, from IETF standards to tacit agreements, which nevertheless, plus or minus, follow. On the other hand, all these measures without a twinge of conscience can be called crutches.
So, there is a reputation system for servers and sender domains (well-known spam lists like spamhaus).
There are SPF and DKIM mechanisms (normally they work only in conjunction with DMARC, otherwise there are many reservations).
There are certain and nowhere really standardized rules that almost everyone uses (starting with SpamAssassin): checking the existence of the sending domain and MX records, checking the reverse zone of the sender address, checking the domain in EHLO, and various combinations of them. Greylisting mechanism. Etc.
Plus, endless heuristics based on the content of letters, correspondence history, complaints statistics, etc.
All this now allows large mailers like Gmail to filter spam very successfully (including letters with a fake sender address).
On the other hand, if the owner of the sending domain did not care about any protection, and the attacker knows how to correctly configure the mail agent, then hello.
The same if the recipient has not configured the receiving mail server.

How is it possible to "deceive" people with such means ...

Can. And they deceive. More precisely, they deceived, now there are heaps of crutch methods to deal with such an architectural miscalculation of mail sending protocols.