What even is the point of requiring a dongle if you can do this? Checkbox security at its best.

You can do this with most systems. Just edit the From field in a script. External emails will usually be blocked and you can still see in the header that it was not sent from the actual account so that the risk of fraud is low.

If it happened with a script it should be easy to find out by looking at logs and/or header.

Yeah, at this point if it's an actual cryptographic security key, it could be used to sign each and every e-mail.