The analogous message for untrusted webpages is "Go ahead, browse, because this is in the sandbox of the browser.".
And, when you type stuff into a textbox and POST it over HTTP, a text box often pops up the first time, saying "This is insecure, fyi".
For text-only emails, it's plenty fine. For emails with images, there's some privacy issues, and for emails with attachments, even more issues.
For the average user that won't check MD5s, saying "This can't be trusted, throw it out" is probably the right idea. There's a lot of history of people telling others their password for a candy bar, so anything that users really want they'll get, scarygram or no.
"'Facebook' has not been verified by a certificate authority and may damage your computer. You should close this window."
"'Bob Smith' may not actually be the author of this message and the contents may be lies. You should delete this email."
The happy outcome there is users learn to ignore both of them inside of a week.