Receiving scam emails sent from my own domain

We use Cloudflare email routing for our domain, and the catch-all setting is enabled and configured to send emails to my GMail address.

We have SPF, DKIM and DMARC records set up for the domain that only allow Cloudflare and AWS to send emails from our domain.

This evening I received a catch-all spoof/scam email that was sent to [email protected], sent from [email protected].

According to the headers, this email was sent to Cloudflare from (localhost [IPv6:::1]) by and passed all the SPF/etc checks.

Please can you explain why Cloudflare has accepted and forwarded this email from this host, that was sent from [email protected], even though the SPF/DMARC/DMARC policy does not permit as a permitted sender for

I would greatly appreciate any insight you can offer, as we are concerned Cloudflare is allowing unauthorised senders to impersonate email addresses.

Our SPF record is:
v=spf1 ~all

Our DMARC record is:
v=DMARC1; p=quarantine

These records as well as our DKIM records are showing as valid/passed on