But it can work for individual addresses as well. For instance, gmail uses DKIM. If they only DKIM sign an email if the user is logged in as the address they are trying to send as, then boom, DKIM is proof that the email from is not forged, and the only way to bypass it is to hack the account.
