We should eventually configure SPF DNS records for `phabricator.org` (none), `phacility.com` (Google Domains), and `phabricator.com` (SES). This would reduce an attacker's ability to create email which appeared to originate from the Phabricator system or our corporate accounts.
I think the risk here is very low and SPF is not trivial to understand and test, so I don't plan to do this anytime soon, although we should probably do it before we do anything with payments.