You need SPF, DKIM and DMARC for your emails.
then,
Reject SPF awhen resolves to "fail"
Also, you can add blk liste like zen.spamhaus.org and b.barracudacentral.org
Finally, you can add greylisting for the worse email accounts.
After that, you can log as root and tail -f...