You can count on phishing messages to be from spoofed domains. IMO, the best first step in preventing spam of any kind, is to implement SPF on your mail server or use Postini's. SPF filtering can be strict or lose, depending on how much you want to control and protect your mail server and users. To eliminate MX bypass, if possible, only allow inbound relay from Postini's IP.
When using Google Apps Business, you can restrict inbound routing to specific IP's, including Postini's. Your GApps email settings dashboard, has the Postini IP's listed for you to enter.