As suggested by Platonides in T127247, change our SPF for wikimedia.org from ?all to -all
http://www.openspf.org/SPF_Record_Syntax
Mechanisms can be prefixed with one of four qualifiers: "+" Pass "-" Fail "~" SoftFail "?" Neutral
The "all" mechanism all This mechanism always matches. It usually goes at the end of the SPF record. Examples: "v=spf1 mx -all" Allow domain's MXes to send mail for the domain, prohibit all others. "v=spf1 -all" The domain sends no mail at all. "v=spf1 +all" The domain owner thinks that SPF is useless and/or doesn't care.
Currently WMF has
v=spf1 ip4:91.198.174.0/24 ip4:208.80.152.0/22 ip6:2620:0:860::/46 include:_spf.google.com ip4:74.121.51.111 ?all
Which means all other mail servers are considered "neutral"
v=spf1 ip4:91.198.174.0/24 ip4:208.80.152.0/22 ip6:2620:0:860::/46 include:_spf.google.com ip4:74.121.51.111 -all
Would make it so all other mail servers are prohibited if they're not in the list before hand