[rdl]

Ever so slight mitigation of this is that Coinbase uses SPF, but they use SPF with a fairly open list (just phish via Amazon SES, Mailgun, etc.). So phishing mail has some chance of getting marked down as spam by recipients if you make it appear to be from coinbase.com.

I'd probably go all-out and send from coinbasemail.com though.

[zwily]

To phish via SES, you'd have to get coinbase.com as a verified domain, which mean you'd need DNS access. I assume the same is true of other email providers.