You should ask your ISP for more info. Generally, an ISP won't blacklist your domain just because a spammer is using forged headers - that is very common and most ISP's understand that is not your fault. You may have an open mail server on your domain that a spammer has compromised and is using to actually send spam.
My ISP has confirmed that spammers are not forging my headers but rather actually gaining access to the mail server (through poorly written script?). So I don't think spf records are the answer (though I have implemented them for all 3 domains just in case). Somehow I've got to figure out how to close off the mail server to the spammers. Since the domains/sites are hosted on a friend's virtual server & he interacts w. the web host, that may be tough to do. Any thoughts would be appreciated.