For a very long time I have also used unique emails for each respective service that involves in email. When I sign up for npm it is something like email_npm@example.com . This makes it very easy to whitelist and also spot phishing emails because if an email for npm is coming to mail_cccoffee@example.com it screams that something is wrong. It is not bulletproof by any means but an additional layer that costs me almost nothing but requires effort on the part of attackers.

That's exactly what I do, and have caught quite a lot of other phishing emails this way. They queried my npm email via the public API and sent it there.