Anyone can make a signature saying they are anyone they please, from your friend to the king of Prussia. End users must know and believe this, so they do not trust signatures blindly.
Signatures are trustworthy only if they come from a trusted source. These would be either
1. The signature public certificate is supplied to you previously. Not just in another email of course, but in something which is tied in with personal contact like a phone call, visit etc.
2. The signature is issued by a trusted authority, possibly within your organisation, with a chain of trust.
Once this is set up it is vital that your end users validate signatures with full understanding of the trust model your organisation adopts: or all is utterly worthless.