Phishing becoming more sophisticated: can someone explain how is it possible "google.com" domain is used for phishing email?

I've recently started to receive forms (phishing emails) from sender:
**Google Forms** **<**[**forms-receipts-noreply@google.com**](mailto:forms-receipts-noreply@google.com)**>**


that's the "from:" field.
then there's "mailed-by:" field which also uses the same [google.com](https://google.com) domain.

the content clearly isn't from Google but the domains look legit. how is this possible?

domain domains email emails forms google google forms isn legit mailto phishing phishing emails privacy