Spoofed emails from non-existent user

We have a fortimail 60D behind a fortigate 200D.  Recently we started seeing spoofed emails being successfully forwarded through our email server using an email address in our domain but with a non-existent user account (no such user name).  We have spf set up in our domain and enabled in the 60D, and DKIM is also configured and enabled.  To stop the emails, I added the address being used to the ACL to block it, which worked.  That spoofer has subsequently tried to send over 25,000 emails through our server, clogging up the log files (just since last Friday).  I tried to correlate activity in the 200D that was directed toward the 60D and that showed high levels of activity at the same time the 60D was showing spoof activity, and identified several addressed which I blocked by policy in the 200D, hoping to keep the logs clear.  It's too early to tell if I was successful.  I'm concerned though, since I don't understand how access to our server was gained.  It would seem to me I ought to be able to block all outgoing messages if they didn't originate from a user on the user list.  I also think I should be able to block outgoing messages that didn't originate from within our local network (those having a from address of the 200D rather than the actual network address of the sender).  I'm worried that I do not have some setting or configuration correct that has allowed this to happen, and I don't want to rely on my catching similar activity if another spoofer succeeds in accessing the fortimail as this spoofer did.  Is there something obvious that I am missing - or perhaps should I get a service ticket on this issue?