I have a custom domain for email. Do I need to configure DNS to prevent outgoing text messages with an address from my domain?

I own a custom domain that I use for e-mail. The mail server is configured with a catch-all that redirects messages to any user to my inbox. For the first time this afternoon, I received a benign “auto-reply” to a message (“I’m driving and will get back to you later”) that was “sent by” accnt966.wellsfargobanking.online02921@mydomain.com and sent to some phone number @vtext.com (which seems to be Verizon).

My domain is configured with SPF, which previously seemed effective at preventing spammers from spoofing the use of my domain (based on no longer receiving bounced messages). However, it seems pretty clear that someone managed to send a text message that looked like it came from my domain. Do I need to configure anything else to prevent this? Is this Verizon’s fault for not checking? Or should I conclude that someone was able to send spam from my email provider?