NDAA 2021 legislation is forcing a gaps closure in SPF, DKIM, and DMARC.
This stuff is really complicated. Get some seriously competent help. I don't think most ITSPs (IT service providers) have enough experience in managing this especially in light of the inclusions of marketing automation platforms on root domains.
You cannot be driving a hole with a 20 lb sledgehammer through your email ingress filtration policies in order to accommodate for incompetently configured sender framework on behalf of your senders.
It's time to push back on their incompetence. Get your VISO involved and get policies in place such as ones that IT will not be requested to put holes in security in order to accommodate senders with bad email systems. Instead, letters will go to bad senders to tell them to get their house in order.
You need to get your own house in order in order to make sure that your emails are deliverable. Cybersecurity insurance providers are assessing this information as part of your risk profile.
Salesforce Email Service Used for Phishing Campaign | eSecurityPlanet
For more information on this topic: Email Deliverability- The Titanic Problem Headed Your Way