I just create an alias for my firstname.lastname@example.org. It's just easier and I get replies back to a real account.
Yes, that works fine. However, the WordPress instructions do not tell people to do this; if creating an e-mail address before installing WordPress is the solution (I hope it's not), they should.
Then get another anti-spam system.
As it happens, I'm not complaining about my setup. It works fine for me. I'm complaining on behalf of other people who might not want to replace their anti-spam system just so they can get this message... especially since their anti-spam systems are doing what they're supposed to (detecting forged sender addresses on a message -- in this case, wordpress@<domain_name>).
Also, how exactly do you check the validity of a sender address? Sender domain is easy to check, but the sender within the domain?
Many inbound anti-spam systems do this by making a "callback" to the sending server and performing "HELO / MAIL FROM <> / RCPT TO <address> / QUIT" steps, checking that "RCPT TO <address>" works.
And many outbound mail systems have a list of valid "From" addresses that exist on the system, rejecting others (this is a good way of stopping compromised scripts from spewing spam).
If it defaults to the user ID of the web server process (such as apache2 or www-data) how is that better than email@example.com?
It's far better. The default mail() address on any properly configured system should be a valid address that's allowed to send mail. wordpress@<domain_name> probably isn't.
Again, it's simply not okay to make up fake e-mail addresses these days. It's not 1988 any more. Forged e-mail is one of the biggest problems on the Internet, and more and more systems detect and block it in all sorts of ways, both on the outgoing and incoming ends.
Scripts that send mail should either use the default address or ask the user for a valid address.