Per the design of e-mail, anyone can send e-mail “from” any domain and any address (it was the 80’s; we didn’t know better)
Over the years, additional mechanisms have been added to try to limit abuse of e-mail. They’re not foolproof but they can help a lot.
First of all in your screenshot you have two SPF records for your apex domain, which is wrong. You only need one SPF record for the apex domain, like this:
v=spf1 include:_spf.mx.cloudflare.net ~all
Including Cloudflare there is necessary for Cloudflare’s e-mail forwarding to work properly, but this basically says that nobody except Cloudflare should be allowed to send e-mail on behalf of your domain. E-mail not meeting the requirement will “look spammy” and might be rejected or spam-filtered, especially in combination with a strict DMARC policy (below)
Next, the most important thing you can have is a DMARC record. Create a TXT record with the name field set to “_dmarc” and the value something like this:
v=DMARC1; p=reject; sp=reject; adkim=r; aspf=r; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1
you can look up the DMARC specification and customize it to your liking. RUA / RUF are optional but you can supply addresses there to request to be notified if/when your domain is being used on spoofed e-mails.
Finally a DKIM record, create another TXT record with name “*._domainkey” and value “v=DKIM1; p=”
You should only have one DMARC record for your entire domain (the sp= defines policy for subdomains), and only one SPF for your apex domain, but you CAN have additional SPF records for subdomains, otherwise they inherit the policy of the apex domain.
For subdomains, you can optionally create an even more restrictive SPF record saying that not even Cloudflare is allowed. You’d need to create an entry for every subdomain that has a DNS entry, as well as one for * to cover arbitrary subdomains that don’t exist in DNS (or to match your wildcard * subdomain DNS entry if you have one)
Keep in mind that all these mechanisms are optional – you’re essentially REQUESTING that mail servers reject e-mail appearing to come from your domain, but there’s no way to actually force them to reject it.