SPF will advise receiving mail servers who can send out on your domain, but it's ultimately up to them. You could possibly tighten that up by changing the fail in your SPF from a soft fail to a hard fail, assuming you are currently using a soft fail as most people do.
Also have you checked that someone is actually spoofing your domain and it's not that your email accounts' passwords have been compromised, or if you have some hosting, that a contact form or similar has been compromised?
The problem is if you don't have a compromised account/server and someone is just using your domain, then the servers that are sending bounces back to you are badly set up because they should be rejecting the emails at the SMTP level rather than sending a bounce, so therefore the people that set them up probably didn't bother or weren't able to have them read SPF or DKIM.
It's know as backscatter if you want to do some reading about the subject. The servers sending it are probably on some blacklists so maybe using an email provider that uses spam blacklists would help.