Simples!
Not quite a definitive solution, but just enable strict SPF / DKIM and mark all external mail by amending its subject, or something like that.
No technology (except completely disconnecting someone / something) can be foolproof, so this still requires the end users to have a tiny little itty bitty smidge of sense and not do things blindly without being a little careful...