This is actually what SPF (S
ramework) was designed to mitigate.
DMARC and DKIM also are useful in this fight against this demented BS.
As for why they use it, they use it because that domain has not implemented SPF, and so there is not lookup occurring when the message arrives (SPF checks you are who you claim to be.)
Why Google stand for these accounts is another question...