Its a 'security' thing, and in this case, changing the extension is the easiest way to fix it. I did a few tests before and gmail at the very least checks 7zip, and zip files.
You need everyone in the company to run it - use a fileshare and share the link to it internally. You might also be able to upload it somewhere and get the link to the others. In this case getting creative is the best idea.
It is indeed very hard to solve the problem of e-mail spoofing in a general way, due to the simple and highly distributed way the protocol is designed.
The physical letter analogy holds up quite well in this example: I can put a letter into the post, and write on it that it comes from your house; I don't need to have broken into your house to do this, just drop it in a public post box. And if the post is marked "return to sender" it may well end up being "returned" to you, even though you didn't write it. The same happens with e-mail: anybody can deliver a message into the system, with a To and a From address; the server you send mail from may not be the same one you receive mail to, and there's no centralised service verifying your identity when you drop a message into the system.
There are two general approaches to solving this:
Digital signatures are a way of including in a message a kind of signature or seal which only the real sender knows how to generate (using a private key which they never share). The recipient can then verify the signature using a public key which mathematically proves who produced the signature (and that it matches the received text).
This is not, however, very useful for your example, because it doesn't prevent the messages being delivered, and requires recipients to know the public key, or a verified location to retrieve it.
Domain-based sender verification systems have been developed to try to prevent spam. These store data in the DNS (directory lookup) for the domain of the address (the part after the @) which allow a receiving system to verify if a mail is legitimate. One system, SPF, lists which systems are allowed to send mail on behalf of that domain; another, DKIM, stores public keys used similar to the digital signature approach above, but for verifying the transmitting system, rather than the actual sender.
(To slightly over-extend the physical letter analogy, SPF is like publicly saying "I only post letters using this post box" and DKIM is like publicly saying "I always send mail from this post office which prints a tamper-evident label for me".)
These would be more relevant to your case - if your wife were using a custom domain, an appropriate SPF or DKIM setup would cause many systems to silently reject mail which she had not sent herself (or mark it as spam, without attributing it to her). However, it only works at the domain level, not the individual address, and some recipient systems may not check the records.
Best Answer
Try the Email Blacklist lookup tool.