Not quite a definitive solution, but just enable strict SPF / DKIM and mark all external mail by amending its subject, or something like that.
That requires the domain owner not to be a dork; many of them fail badly at that hurdle.
I went through a phase a while back where I was seeing loads of domains with "+all" at the end of their SPF records. I cannot see a single instance where that can be anything but harmful, so my SPF milter now treats "+all" as if it were "-all". That helps...