[upofadown]

Some companies just mark incoming email with something like [external] to solve the problem used as an example. In the end you are going to know if an email came from your own server, you are the one sending them.

If it is really that important, businesses should be signing their emails.

[aj3]

Eh, DMARC is meant to solve different problem. E.g. when your accountant receives spoofed mail with a fake invoice supposedly coming from a legit supply chain provider. They might be trained to check domain that was used to send email but without DMARC non-techies won’t be able to notice well made spoofed email.

[upofadown]

Assuming that the email client used even shows the domain. If you can train your employee to do an obscure technical check you can for sure train them to verify invoices. After all, if you don't then the legit supply chain provider can just generate fake invoices.