I have an application that reads incoming email received by a specific email address. The application then does business transactions based on the content of email.
Currently the application only does a String compare of "from address" (against a list of whitelisted addresses) to check if the request is coming from a valid source.
But, is this safe? Can an unauthorized person send a spoof email from an email-ID, without having the access to that email?
No, this is not secure; the sender can easily be spoofed. The sender should authenticate their emails and as the recipient, you should verify that the email is authentic. If your incoming mail server adds (or can add when configured appropriately) an Authentication-Results header field (and removes existing such header fields), it's probably the easiest approach to simply rely on this field instead of verifying anything yourself.
Ignoring the problem of transport security, an alternative approach may be to simply include a secret token in the message (body or some header field – or even in the local part of both mail addresses).
Note that both approaches require full trust in the mailbox provider of both the sender and the recipient. If this is not acceptable for your threat model, you should look at end-to-end security or abolish this idea altogether.