Do you have access to data that would cause a news story if you sent it to the wrong person? If yes, then yes, verify it before sending.
Also, spoofing an email address wouldn't help. If you respond, it will go to the spoofed address, which is the correct one. They need to send it from their own email address, which means that you only need to verify that it's send from your manager's address, or just manually send it to your manager.
It's likely that their SMTP server accepts messages with an SMTP "MAIL FROM" command and/or "From" header address that belongs to the company's own domain without requiring authentication. The attacker then adds a "Reply-To" header so that replies will be sent elsewhere (likely a throwaway free email account).
This shows up in email clients as "From: legit.name@example.com". When the recipient replies, they don't notice that they're sending a reply to a different address than the one their client claimed was the sender of the original message.
Receiving SMTP servers need to be configured to require SMTP authentication for messages claiming to originate from the company's own domain.
Also, spoofing an email address wouldn't help. If you respond, it will go to the spoofed address, which is the correct one. They need to send it from their own email address, which means that you only need to verify that it's send from your manager's address, or just manually send it to your manager.