When it says the email is "from" server 1 "via" server 2, the From address is an email that isn't yours, and the Reply-To address on the mail has been rewritten to yours. Mail client software is supposed to display the Reply-To, but obviously doing that leads to a rise in spam fooling people, so I understand why spec isn't followed there.

Your last sentence stitches the whole thing up: you're doing everything right. Nothing can stop someone trying to impersonate you and sending emails professing to be from your email address. Your SPF, DKIM, and DMARC records will prevent them from being delivered most of the time, and even if it goes to spam the recipient mail client should put a warning on it to the effect that it failed verification. Not having an open relay prevents anyone from abusing your mail server itself, meaning anyone trying to impersonate you will fail verification, as they cannot send an email from your server's IP or with your valid DKIM signature.

Your emails going to spam isn't something you can readily stop, I'm afraid. All your security we've talked about so far is aimed at preventing fake emails from being delivered; going to the spam folder is a result of secondary sorting after delivery. I believe some systems take the verification into account, but who knows what other logic they apply. Most systems will skip secondary sorting for emails in the address book, so as '90s as it sounds: get yourself added to the address book. And make sure nobody reports your legitimate emails as spam; those reports do actually work.

Speaking of, when you get a bounce notice, it should say why. It might not be useful, but then again it might. Remember as well that your email may have bounced just because "Big Email Said No": https://cfenollosa.com/blog/after-self-hosting-my-email-for-twenty-three-years-i-have-thrown-in-the-towel-the-oligopoly-has-won.html

Other people sending spam shouldn't affect your domain's reputation; a lot of that is the IP the email is sent from, rather than the domain itself. Lists like SORBS and HostKarma work solely off the IP, to my understanding.

Tools I use regularly are https://mail-tester.com (3 free tests a day, don't send attachments) to check for how deliverable your emails are, and https://senderscore.org for checking your reputation.

Finally, don't worry about spammers targeting authorities while spoofing your email, if the French government's IT security departments can't tell it's spam and not from you just by looking at the email headers, France as a whole has bigger problems 😋

I hope that helps! Sorry I can't help with spam filtering in your own inbox, I'm mostly focused on deliverability to other inboxes. I also hope someone with more experience than me can chime in, because I'm sure there's a lot I'm missing 😅

Do you have DKIM, SPF configured? If not, start there. Once that's done, enable DMARC, and your problem will be solved. Be careful with DMARC, though - if the first two aren't correct, legitimate emails will get blocked.

Are you sure it’s spoofing and not a relay attack? It’s doubtful anyone would spoof you. More likely you left a relay open.