Let’s start with, “What if a scammer pretends to be a bank ? It looks like it’s very much possible to send an email as support@someBank.com. There must be some sort of protection against this?“
This is why we have standards such as Sender Policy Framewark (SPF). SomeBank.com can (should) publish an SPF record in its DNS to specify the SMTP servers that are authorized to send mail from senders at SomeBank.com. If a spoofer tries to send a message appearing to be from *@SomeBank.com, he is unlikely to be able to relay the message through one of SomeBank.com’s SMTP servers. If he tries to send the message through a SMTP server other than one that is designated in the SPF record for SomeBank.com, the recipient’s spam filter would likely detect this mismatch and determine that there is a high likelihood that this message was spoofed.
So, how does Gmail provide its ‘send email as:’ feature, without breaking SPF?
See https://support.google.com/mail/answer/22370/send-emails-from-a-different-address-or-alias?hl=en, where it explains how to use this service. Note where it reads,
For school or work accounts, enter the SMTP server (for example,
smtp.gmail.com or smtp.yourschool.edu) and the username and password
on that account.
As you can see, Gmail relays the message through the SMTP server that is already designated for that domain. This avoids breaking SPF.