malware filter, messages from internal senders, would be better if checked against actual users and aliases, not spoofed fakes
would be better if the email warning could let me know which of my domain users is mentioned in the email. For example the warning only tells me the FROM (sender address) not the return path which is apparently where the warning derived its internal connection from:
email@example.com evea@[my domain].com
However it would be even better if it would then run the user in the return path against our list of users and aliases since this evea has never been used at our organization so not actually internal.