Mrmuggyd - that won't work, because he has a external party sending on behalf of his domain.
Avatar - setup DNS SPF text records for the IP that are allowed to send for your domain. See this tool:
http://old.openspf.org/wizard.html
In SBG - under Spam, Sender Authentication, Enabled, Add your domain, and select an action. I recommend something non-destructive like "add a header". You can then use Message Audit Logs to find e-mails that failed the check (Verdict = Sender Authentication Failed).
Once you are comfortable with the results you can change the settings to something more agressive.
There is a gotcha here - if someone goes to a website (a magazine, FedEx, etc) and uses the "Send to a friend" type link that asked for the sender's e-mail address and the user uses his work e-mail address, this policy will block those types as well.