You cannot verify the sender in the general case. What you can do is:

1. Enforce the use of authentication for those users your mail server acts as a relay for. Those would generally be your local users.


2. Reject mail from internal addresses that was not relayed through a server that you control. That may or may not be possible depending on your circumstances. For example, mobile users may be forced to use an ISP-specific SMTP server with a custom message envelope.


3. Use SPF and/or DKIM and hope that remote servers will reject traffic with your domain name and an unlisted server.

4. Use your SMTP server's configuration to define access control lists. Use the list rules to only allow email with certain domain names from certain IP ranges.