We have websites hosted on AWS, are using SES to send out mailings, and use Google Mail for sending and receiving company mail.
Every so often I receive SPAM emails to my Priority Inbox in Google because they are marked as coming from our domain with both SPF and DKIM pass, even though they were sent from a spammer on another server.
Here are some sample headers: https://pastebin.com/JjvYSq0A
I believe this may be happening because we are using both SES and Google Mail and have designated both as trusted sources for e-mail.
I guess I'm wondering whether there is any way to keep spoofed messages from being signed as from us. We've had this problem for a while.