We made this announcement some years back, which describes how eM Client is not vulnerable to spoofing: