How is one to know if Facebook or MySpace truly sent the e-mail or if it is spoofed? Eventually there will be enough adoption of electronic signatures and DNS-level security to make these spoofed messages ineffective. In the meantime, there is one method that I employ to make sure a message is genuine. Each social networking (or e-commerce, airline, or whatever) Website that I use has its own unique e-mail address for me.
If you are fortunate enough to have your own domain name and a mail server (Google Apps is great for this), you can create firstname.lastname@example.org and email@example.com. If you receive any notification message purporting to be from a site but the "to" address does not match, consider that message to be highly suspect and delete it immediately.
For those of us without the luxury of their own domain, or who are worried that someone might be able to easily guess their firstname.lastname@example.org addressing scheme, a few e-mail masquerading services are available. My favorite is Sneakemail.com, which lets you create an unlimited number of e-mail aliases for a modest $2 per month. This way, you can use one unique e-mail per Website, and all the messages get forwarded to your "real" mailbox. The service even handles replies, so that the Website never has your real address.
If you receive a password reset notification directly to your work e-mail instead of your unique address for that site, you know it is at best spam and at worst a phishing attempt. As a nice side effect, you'll be able to catch unscrupulous Websites that share your information with third parties. I once received several unsolicited offers from a company to the e-mail address that I had provided only to a particular airline's frequent flyer club. Needless to say, I contacted the club's privacy department, provided logs, and promptly canceled that account.
Don't Click on Anything in E-Mail
As a rule, I don't click on links within e-mail, ever. Not even from known senders. Well-formatted HTML e-mails should have a URL just below the big "Click here" button, usually in a section that says "if your e-mail program doesn't allow links, copy and paste the following into your browser." If you still can't find the URL, switch your mail reader to display plain-text (in Gmail, you can use the "Show original" option from the reply menu) and find it there.