Most domains can be spoofed!Only DMARC can help!!
To make a long story short
1) DNS SPF (TXT ) -all
If your IT consultant or employee told you you're organization domain/brand repuation was protected against spoofing, using a DNS TXT / SPF strict policy, he's wrong. It does help " little bit " but anyone who knows how eMail and spoofing works can still send eMail on your behalf.
2) IF you have no DMARC DNS ENTRY or the one you have ends with p=none (monitoring) Your domain can be spoofed
https://www.uriports.com/tools
3) You do have a DMARC DNS entry with a policy p=quarantine or reject and an also a strict SPF ending with -all ? Some of your eMail will be lost and DKIM won't work properly most of the time.
4) if your domain is not on well known black Lists, it doesn't mean major providers do not have some internal policies to reject, quarantine or discard your eMail without you knowing it...
Only DMARC monitoring will be able to provide(may be) some feedback from internet eMail servers as how they deal with your eMails without giving you official feedback (bounce, etc)
FOR TECHNICAL PEOPLE : https://www.lastspam.com/blog/spf-dmarc-for-techies
FOR NON-TECHNICAL PEOPLE : https://www.lastspam.com/blog/spf-dmarc-dkim-simplified
https://www.uriports.com/blog/demystifying-dmarc-alignment/
DMARC in the news
https://www.securityweek.com/us-says-north-korean-hackers-exploiting-weak-dmarc-settings/
If you want to test if you are DMARC/SPF/DKIM compliant, eMail this tool address. https://www.dmarctester.com/
Note : being compliant doesn't mean you can't be spoofed