NOTE: Humans reduce their ability to detect/resist fraud when under time pressure. See how the email puts the victim under duress by threatening to delete messages. To act as quickly as possible. This is a huge red flag that will help you if you know to look for it in attacker communications (or life in general). Because attackers know this is a shortcut to better results.

At my work we are planning for this kind of nightmare scenario by moving to tightly-governed and logged SMTP relays. It will take a lot of work but giving vendors SPF/DKIM, although MUST be done in interim as soon as possible so you can get DMARC to enforcement, is a blank check when you are an incredibly sensitive service/huge target.
Most should not worry about this there's a 100 things more important but understand the exposure.