You've to check the email header to see how the email has been sent.
If it was your own computer / server, then you have to secure it better.
If it was some random IP address that started it: it's easy to forge an email sender addresses.
Just like in the real world you would post an envelop and put someone else's address as sender.
In all cases you could take some anti spam measures using the DNS of your domain: