The question is, "How does it prevent spoofing sending addresses?". If there's no authentication mechanism, then it's only really a stop-gap measure. Email itself is unauthenticated, so there's no way you can tell the message really came from who it was supposed to have come from. This could probably be mitigated by only allowing email from your own server (which in theory should not support spoofing). You'd have to make sure that it kind of taps directly into the server, though, and doesn't ever use anything like message headers. Alternatively, you could build in your own authentication mechanism, like digitally signed emails, or something similar.

Er... I could just not give out the email address that WordPress polls for new entries? I suppose that I could have the email processing thing look for a password in the message subject or on the first line of the message body, and remove it before the post is committed.

I'm heavily in redevelopment of the wordpress mail script. Originally I modified it for simple attachment of images, but later found it was easier to pretty much scrap it all and start again. What I'm going to add is a GPG/PGP feature; so when you send your PGP signed email it will be verifed by wordpress. This is very hard to forge - unless they have your private PGP key. Other then using PGP signatures, there could be a secret passcode or something you could include somewhere in the message - that could be fun. :)