SPF and Spoofing E-Mails
From Lunarpages Web Hosting Wiki
It is impossible for us to prevent anyone from sending an e-mail from their account, by changing the 'From' and 'Reply To' fields, to pretend it was sent from your domain. Whilst many companies are working on ways to prevent this, and it is always possible to prove whether the mail was really sent from your account, or spoofed in this manner, there is currently no procedure in existence which will prevent it in the first instance.
Since the 'sender' does not exist, it comes back to your default address as undeliverable mail.
The first step you should take is contact firstname.lastname@example.org or put in a Help Desk ticket. Be sure to include the full headers of this message into this ticket or e-mail, so we will at least be able to find out where it has come from. Most likely, it has come from a cable modem or DSL user's home computer that has been compromised and is sending this out.
How Can I Setup an SPF?
There is a possible solution to limit this and that is to use SPF (Sender Policy Framework). With SPF, only machines authorized by you will be able to send out emails that come 'from' your domain. You can create an SPF record here: http://www.openspf.org/. Once you have done this, reply to us, with the created entry to add to your zone file. Just contact email@example.com or put in a Help Desk ticket.