Today while working at my company, we saw allot of automatic reply emails coming into one of our group inboxes (i.e. info@company.com). We suspect that this email address is being used in a phishing campaign and the automatic replies were from potential victims. We have the SPF and DMAC setup for our domain and thought this would prevent any such emails since it didnt come from us.
Am I wrong in this assumption or is there a way that they can still use our domains?