Currently I don’t think any implementations would accept an activity owned by a domain different from the Actor. If they sent a Create it would be technically verifiable, but I don’t think we have any mechanism for fetching a Create from the created activity.
Note that I’m ignoring the suggestion of signatures, as that would probably have to be LDSigs and only a few implementations actually support those.