I’ve actually blocked any incoming email without a valid email address (belonging to my domain) in the To: or CC: headers; it’s helped me cut spam significantly.
Using a specific prefix I can generate a new email address for each website I visit. So when someone emails me, they’re forced to tell on themselves and/or the website they stole/bought my email address from.
All this makes it easy to see who lied and sold my shit (data) after I explicitly said not to. And I figure if I really needed to be BCC’d on something, the sender can simply forward the email to me after they receive the rejection message.