Block messages if MAIL from and RCPT TO do not match for our own domain
It seems you can bypass SPF and DMARC filters by using different legitimate "Mail From" and "RCPT To" addresses. This allows a form of CEO fraud to continue. What about blocking inbound emails from our own domain if the "MAIL FROM" and "RCPT TO" do not match? Your phishing detectors might be able to learn from this as well.