In order to aid against internal spoofing, a content compliance rule can be set up to reject all Non-Authenticated messages coming from your domain.  The steps needed to do this are listed below.

Create a Content Complaince rule from the Admin Console

Email messages to affect: Inbound and Internal Receiving

Expression Match: If ALL of the following match the message

Click Add to add an expression

Select: Metadata match

Attribute: Message authentication

Match Type: if message is not authenticated

Click Save: to save the expression

Click Add to add ANOTHER expression to the same Content Compliance rule

Select: Advanced content match

Location: Sender header

Match type: Matches regex

Regexp: .*@domain\.com\.*

Click Save: to save the expression

If the above expressions match, do the following: Reject messages

Click Show Options: Make sure Groups, Users, and Unrecognized are all checked.

Click Save: To save the Content Compliance rule

NOTE: For the Regexp you need to substitute your domain information.  If you need multiple domains for this rule, you can use the following format:

Regexp: .*@domain1\.com\.*|.*@domain2\.com\.*|.*@domain1\.net\.*