Look up the instructions for your mail provider to set up SPF, DKIM, and DMARC records in your DNS so email services know which emails sent from your domain are actually legit. Without those records telling email servers what’s valid and how to handle what’s not, it’s basically the Spiderman pointing at Spiderman meme.
Apparently all that data is included in the ActivityPub protocol. On Kbin, every post has an Activity button that shows every user (even those on other instances) that upvoted/downvoted/saved that post. So if a Lemmy post happens to federate to Kbin, all that info can be seen publicly by anyone.