EDIT: Forgot to mention SPF records (actually easier to add to DNS than DKIM, sorry), and saw someone mentioned TXT records too; basically anything that can prove ownership of the domain for non-free addresses.
What about only explicitly allowing domains that have DKIM enabled?
Having that form of validation should help since DKIM was made to specifically stop email spoofing; and anyone serious about implementing Portier would understand that need.
Outlook/Gmail etc aren't likely to be flagged by ESP's for the most part as those have reputation and rudimentary spoofing protection, at least more than [email protected] anyway.
Persons using custom domains are usually the admins of those domains, and Office 365/GApps/Registrars etc. provide simple ways to enable DKIM.