For the last USPS e-mail I got, the ‘From:’ address would have been enough to show something’s not right, as the spammer didn’t appear to forge the domain. I.e. it was "email@example.com"
Going by the header, it appears like a compromised home server: “Received: from s16268226.onlinehome-server.info (s16268226.onlinehome-server.info [18.104.22.168])”
Even the script that sent the e-mail appears to be listed, i.e. one line is “X-PHP-Originating-Script: 10010:kt10ye.php”.
On another e-mail I received claiming to be an eFax, it’s actually a little more tricky for the average user to check as it uses an official looking forged e-mail address "firstname.lastname@example.org", has official embedded images and links that point to efax.com and the attachment is a PDF file (using an Adobe exploit)
Going by the header, the only giveaway would be the DNS “Received: from 71-20-217-97.clt.clearwire-wmx.net (unknown [22.214.171.124])”, i.e. Clearwire is a fixed wireless broadband ISP. It has a Thunderbird user agent and little other details in the header.