Your domain has DMARC, but the policy is set to "monitor only" (p=none), so it watches without actually stopping anything. Fake email that impersonates your domain still gets delivered — you get the reports but none of the protection.
Pro tip: p=quarantine is the safe middle step: spoofed mail goes to spam (recoverable if something legitimate is mis-flagged) rather than being rejected outright. Sit at quarantine until you're certain, then move to reject.
SiteSprout scans your site, tells you which issues you actually have in plain English, and keeps watch so nothing breaks silently.
Scan your site free