Sure an email from Paypal.com can be signed or encrypted, but so can an identical one from Paypa1.com. How are users more protected in this case? In fact a big "sender verified" message in the email client for the latter email will cause a lot more phishing.
Web browsers already implement a ‘near miss that’s probably intentionally confusing” check on domains, and the code is readily extracted and shared (I know about it because someone extracted it and added it to Emacs a couple years ago).
This seems like one of those cases where more large infrastructure people need to say “don’t let the perfect be the enemy of the good”.
For Emacs (and its web browsers, email clients, etc) this comes up in a concept of “confusables” strings that could easily be mistaken for other strings, usually as a result of Unicode tricks (multiple similar code points from different scripts, or composed versus combined characters, or sometimes ugly tricks with LtR/RtL markers. The code added to emacs was. A library that could be used to detect these probably-misleading tricks, but they didn’t implement a policy for them. The uses I saw of the library fell into the sort of “Danger, Will Robinson! This looks like it might be malicious” type warnings that can be found in most browsers these days.
Also, people could have something like "sort emails from myverifiedbank.com into "Bank" folder" and then fake emails from notsoverifiedbank.com will end up elsewhere.
Much like you might have a bookmark for https://www.myverifiedbank.com in your browser, and you'd have HSTS and so on to prevent you from randomly ending up on notsoverifiedbank.com servers instead.
