Anyone can send an email and fill in the “from” address with someone else’s email address.
You cannot know for certain who an email came from.
You can know for certain (relatively) who an email is going to.
Thus, when someone emails you asking you for help with their password or SSH key (or any other highly important change):
Be nice, reply to your sender assuming they are the real person without revealing any important or confidential information. Include the message they sent you in your reply so they will see it, and ask them to reply back to confirm.
If you do NOT get a reply back saying something like “What are you talking about? I didn’t request to change my password/SSH key?!“,
If you DO get a reply back saying something to effect of “Yes please, thanks!“,
Then are you safe to proceed with a major security change like a password or SSH key change.
It’s that simple. 🙂
Caveat: This assumes the attacker does not have access to the email account to which you reply.
Note: Use https to connect to your mail server/service to avoid people snooping on your signal.