Okay, up go SPF shields. After seeing spam emails impersonating my domain, I’ve checked my SPF settings and discovered they were pretty lenient:

v=spf1 include:example.com ?all

Well, no more. If the email is not from Fastmail, it gets blocked:

v=spf1 include:example.com -all