I report emails that I know are legit if it fails the phishing rules. Best example is unprompted emails from third party services that I know my company is using. If I don’t get a real email from a real employee either including the link or warning me that a valid third party link is coming, I’m not going to click it.

Make your shit legit or I’m not gonna do it.