The checking and validation could happen at various points in the email chain, including at an intermediary server for instance belonging to an internet service provider, or within an institution, or at the client side, through a security, anti-spam or other application.