Our domain got spoofed. The first indication was a ton of auto-responders in the past week that all got delivered to our catch-all email account. Most of these auto-responders were supposedly in response to our emails. But looking at the message header revealed a ton of emails with our domain name but unknown user names. TerimaddoxSilver@appropriateit.org, JennaeconometricGalindo@appropriateit.org, HenriettasuperstitiousLin@appropriateit.org, and so on and so forth. This is just a sample. We had 70+ such unknown users on one single day.
Setting up a Sender Policy Framework (SPF) record is one way to prevent domain spoofing.