When it comes to email you have to be completely ... enthusiastic: "I was following all the best practices with SPF, SKIM, and DMARC."

DKIM. Obviously that was a typo on a forum but you cannot be complacent, ever.

You have missed out DNSSEC (nearly optional), SMTP-TLS and MTA-STS. Does your SPF record end with -all? Does your DMARC record have reporting addresses, does it have: "p=reject; sp=reject; adkim=s; aspf=s" in it?

I also suggest you send marketing emails from a sub domain or a separate domain or move your identity domain elsewhere. A cop out is getting someone else to send your stuff and I do not recommend that - it looks lax and trite.

I run a MS silver (its not Stirling and I'm not proud of it) partner. I recently shuffled our on prem to Exchange online, which at least saved a shit load of vRAM n vCPU on prem and horrendous Windows updates. I do insist on gatewaying all our SMTP via our on prem Exim n RSpamD n that. That means I get to decide where our mail goes and I also have a couple of Dovecots on prem.

I run rather a lot more mail systems than ours too. This works in the UK but I cannot comment on [elsewhere], for obvious reasons.