> It seems it should be easy to setup “If mail claims to be From: PayPal.com > and is not from PayPal, score +100” but it is not.
This is what DMARC is for. Run opendmarc as a milter and reject failures. Or score later on DMARC failure, even if just selectively for highly phished domains. PayPal publishes p=reject, on paypal.com at least, if not their other domains.
