I have owned my domain name for about 6 years now and integrated it with GSuite (previously "Google Apps for Business") for about the same time.

I recently received a spam mail from my own official email address.

After some research, I was surprised to learn how easily anybody's official-looking email address can be spoofed. GSuite doesn't go out of its way to advise the average customer of this possibility in their documentation [1]. I have no idea how long my email address had been misused and wouldn't know about it either had I not received spam from my own address.

I have now setup SPF, DKIM and DMARC for my domain, and am receiving daily aggregate reports from Google, and occasionally from Yahoo. Volume of spoofed emails is low - about 6 to 8 emails according to Google's reports. WHOIS lookups say senders are from all around the world - Kosova, Iran, Vietnam, India, Brazil, Czech Republic, etc. They all look like regular ISP IP addresses, except for one which seemed to be a corporate address.

My question is what next - what exactly should I do with those spoofing IP addresses in the reports?

Another question - I have set DMARC disposition to "reject". Does it ensure that spoofed emails are always rejected by every receiving mail server, or is it merely a hint?

[1] : https://support.google.com/a/answer/53295?hl=en