Set the SPF TXT record (domain.com) to:
v=spf1 -all
This will inform receiving mail servers that no servers are authorized to send mail from this domain.
Set the DMARC TXT record (_dmarc.domain.com) to:
v=DMARC1; p=reject;
This will instruct receiving mail servers to reject mail that if it is unsigned or when signature verification fails.