Hey!
I've been investigating this and here is the reason for the curious ones:
There are tons of spam sent daily and it is easy to spoof it, in other words it is very easy to send an email impersonating anyone. Basically, it is just a field where you can input any string of text without any possible restriction. It is kinda of similar to writing a letter, where you can write anything in the sender address.
Still, the email header has lots of details such as spam ratings and the ip addresses of the mail servers which were used to send it (just like a real postcard will get a stamp from the mail office even if I say it comes from the moon). That is basically the main reason we sometimes receive emails from "known addresses" that were not sent by them.
On the other hand, this also gives the non malicious user the possibility to have features such as a contact form or a "share this news item with a friend" button in their site. When using it (such as our contact form), the user inputs their email and the other end receives and email with that in the "From:" field. In the end, although it seems that the mail was sent from the user's mailbox, it was sent by the site mail server (or the one that was setup in the config), since obviously it doesn't have the access credentials of the mail in the "from" field (in this case, to the yahoo mail servers).
Now, what happened is that "Yahoo became the first major mailbox provider to publish a DMARC policy of reject. For those of you who are not familiar with DMARC and don’t know what a reject policy is, this means that Yahoo has a line of text in their DNS record telling other DMARC compliant mail providers (MBPs) to reject any mail from a Yahoo domain if it doesn’t come from Yahoo’s own servers." (it matches the addresses from yahoo servers and the ones in email headers).
Since Gmail is one of these "DMARC complaint mail providers", it just rejected your email to me but delivered it to Cassiel (since he uses a non DMARC complaint mail provider). Bottom line: we don't have much to do here, most of the "share this" or "contact forms" will probably be unusable if this practice spreads (which is good since it removes tons of spam). One possible fix is to have something like "contactform <at> tosecdev.org" in the From field and add the user email to the "Reply-to" field, guaranteeing that they will still get the reply. As I'm lazy, I will probably not look much further at this (read hack the module by myself). If really needed, I will ask/check if the used "contact form" component is updated by their creators to have this possibility be default.
Sources:
http://blog.returnpath.com/blog/christine-borgia/all-about-yahoos-dmarc-reject-policyhttp://yahoomail.tumblr.com/post/82426900353/yahoo-dmarc-policy-change-what-should-senders