How did a spammer spoof my email address?

The likely reason HEY didn’t flag that email as spoofed is a DMARC policy set for your domain:

"v=DMARC1; p=none;"

This policy instructs anyone receiving email from your domain to do nothing, just let the email land in the user’s inbox. That’s the policy we recommend you set when you’re configuring your HEY for Domains account. We start with this policy because it’s the most relaxed one, the least likely to cause delivery issues from your domain. However, being this relaxed also means spoofing like this is easier.

You could change your DMARC policy to be:

"v=DMARC1; p=quarantine;"

With that DMARC policy, emails that are detected as spoofed would be “quarantined”, which in most cases means either sent to the spam folder or having a warning letting you know that the email couldn’t be authenticated (this is what HEY does when the sender has been screened in).

Keep in mind that this has some risks as well. For example, if you send email from other places outside HEY and your SPF record is not correctly configured to allow sending from that other place, an email sent from there might end up classified as spam because of the new DMARC policy.

If you decide to move towards a stricter DMARC policy, a good idea is not to move right away but instead keep p=none and monitor DMARC reports. That way you get an idea of which emails could potentially be marked as spam if you implemented this policy and also which emails are spoofing your domain.