preventing spoofed spam on email server - spf, etc.

I have a number of domains and a hosting account, and it looks like one of the domains has been sending out spam for a while now when I wasn't paying attention. DKIM and SPF weren't set up (my bad for a neglected server/domain) but I enabled them both a week or more ago and I'm still getting lots of rejection emails and a few bounce-back emails from the remote side.

Short of asking the hosting company to move my IP, was hoping someone might be able to walk me through what to do next or do to confirm whether or not I'm "fixed" or not. I'm assuming if I'm still getting bounce-backs, then somehow someone is still using my server to send mail out.

For anybody who was interested, just wanted to update that it turns out the changes I made back in late Nov actually did resolve everything. It just took a few more days for the spammer to realize nothing was getting through anymore and to stop trying. I haven't seen any attempts since a couple days after I made the changes.