If you have domains that do not send emails, you still need to lock them down so no spammers can spoof these domains to send emails. All you need is to add the following two DNS records to your domain’s DNS.
First, a block-all SPF txt record:
v=spf1 -all
And a DMARC policy that rejects all email that fails SPF.
v=DMARC1; p=reject; adkim=s; aspf=s;
And that’s it, quite simple steps that are enough to stop any spam emails sent from the domain.
Thanks to Alex Blackie for the excellent tip.