Yes, the signed mail really does contain the signer's certificate, but only the public part (private key is not included). So, everyone can validate the signature using embedded public key. This implies that the signer has access to corresponding private key.