I was just reviewing facts about the security breach at Saleforce.com:   An attacker used a supply chain vulnerability to extract data about Salesforce client accounts.   That means that if MegaCorp is a Salesforce client, and you are a customer of MegaCorp, then the bad guys may know about conversation patterns between specific email addresses at MegaCorp and specific email address at your company.  They may even know the topics you have been discussing with them.  That knowledge means that the bad guys can set up a very effective impersonation attack.

This is one more reason why the "From" identity of every message must be authenticated.   The DMARC test should be applied to every message, whether the domain has a DMARC policy or not.  Then a local policy structure is needed for messages that are acceptable but not able to pass the DMARC test.  Messages that cannot be authenticated by DMARC or local policy should be sent to quarantine for review and disposition.  Acceptable message get a local policy entry to give them authentication, while impersonation messages are given a block rule on the identifier that is responsible for the impersonation.