You need to setup SPF (at least, DMARC if you really wanna get the idea across) on the unused "domain.com.ex"
If the old domain isn't supposed to ever send email outside the org, then you can do a SPF record equivilent of "I never send email, everything claiming to be me is spam"
v=spf1 -all
Super easy record to put in place, and any email claiming to be from dom1.com.ex will instantly fail a SPF lookup.
You could double down with a matching DMARC record of
v=DMARC1; p=reject; sp=reject; pct=100; adkim=s; aspf=s
This tells a DMARC agent that it should reject (don't even attempt to deliver) messages that fail in both the "dom1.com.ex" domain (p=) and all of its subdomains (sp=). It also says to apply this rule to all email (pct=100) and to use strict interpretation on both DKIM and SPF evaluation (adkim=s; aspf=s).
Coupled with the "trust nothing" SPF record from above, this should do a good job of getting most mail servers to ignore things purported to be from the old dom1.com.ex domain.
This won't stop people from trying to spoof your domain. But it is a good effort to advertise up front that those people can't be trusted.
Every domain that I manage gets a SPF and DMARC record as soon as they are registered. Most of them get the records you see here, just something to say "this domain isn't currently sending valid emails, don't believe anyone who claims to be us." It has helped a ton in preventing us from being swamped with unnecessary spam reports (and NDR floods).
EDIT: I do also setup DKIM records. I just can't publish a "dummy" one here because anything I publish I would have a key for (so I could successfully send with that key). But if you really want to shut it all down, generate a valid DKIM record and publish it as well. You don't have to use it yourself, just having a record so that the spammers fail when they try to use it is enough.
