The other thing to mention is that it is incredibly easy to spoof who an email is being sent by. Most non web based emails go through whats called an SMTP server. These don't check usernames or passwords - they just forward on emails. You can call yourself anything and no checks are made. Hence why you shouldn't click on a link in an email, then type in your password - in almost all cases you don't have any way of knowing if the email was sent by who it says it was sent by (so the link could be to a website collecting passwords...).
There are ways to create emails which will allow the sender to be confirmed (again using encryption such as PGP) but these are rarely used.