attempted phishing scam from zoneedit customer - Advice Requested

#1
I got this phishing email that is attempting to say they have hacked into my mail server.

I know it is nonsense because I don't run a mail server to be hacked. I just have e-mails from my domain.org forwarded to my google account.

My question is:
How do I prevent people from spoofing my domain like this. To most people it will look like a message like this came from me unless you look at the message details and you can see that it is not originating from my domain. I believe this person is a zoneedit customer as well. The message looks like it came from Brazil.

How should MX and TXT be setup to allow forwards but not allow others to spoof with my domain? Looks like SPF did nothing here to stop it.
I have changed items in bold to be generic.

ARC-Authentication-Results: i=1; mx.google.com;
spf=pass (google.com: domain of srs0=gylq=m5=mydomain.org=username@srszone.org designates 64.68.198.24 as permitted sender) smtp.mailfrom="SRS0=gyLq=M5=mydomain.org=username@srszone.org"
Return-Path: <SRS0=gyLq=M5=mydomain.org=username@srszone.org>
Received: from mxc02.zoneedit.com (mxc02.zoneedit.com. [64.68.198.24])
by mx.google.com with ESMTPS id g187-v6si11779960iof.28.2018.10.17.09.11.58
for <username@gmail.com>
(version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
Wed, 17 Oct 2018 09:11:58 -0700 (PDT)
Received-SPF: pass (google.com: domain of srs0=gylq=m5=mydomain.org=username@srszone.org designates 64.68.198.24 as permitted sender) client-ip=64.68.198.24;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of srs0=gylq=m5=mydomain.org=username@srszone.org designates 64.68.198.24 as permitted sender) smtp.mailfrom="SRS0=gyLq=M5=mydomain.org=username@srszone.org"
Received: from 189-73-36-188.mganm703.e.brasiltelecom.net.br (unknown [189.73.36.188]) by mxc02.zoneedit.com (Postfix) with ESMTP id CB940877EB for <username@mydomain.org>; Wed, 17 Oct 2018 16:11:57 +0000 (UTC)
From: <username@mydomain.org>
To: <username@mydomain.org>
Subject: username@mydomain.org is hacked
Date: 17 Oct 2018 08:40:58 -0400
Message-ID: <001801d4661a$038cc88b$e31da6b2$@mydomain.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="ibm852"
Content-Transfer-Encoding: 8bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: Acab5anvc67qqw2xab5anvc67qqw2x==
Content-Language: en
 
#2
Same thing is going on with me man!
They've been targeting my domain for a few weeks now and I've had enough

And I do the same thing, I have a free ZoneEdit domain and I use it for mail forwarding to my GMail

I'm not too technical when it comes to the inner workings of email / smtp but I can see that if I look at the full original mail it shows who the message really came from

Received: from abts-north-dynamic-125.7.163.122.airtelbroadband.in (unknown [122.163.7.125]) by mxc01.zoneedit.com (Postfix) with ESMTP id B5C1B12750A for <username@mydomain.org>; Tue, 23 Oct 2018 12:27:43 +0000 (UTC)

This is very annoying though, and alarming that they're able to spoof the sender so easily
I too would like to know how exactly they're able to do this, and what we can do to stop it from happening in the future
 
Top