So the takeaway is, implement a strong DMARC policy (which is the default recommendation on all reputable email services, including Google Workspace, Microsoft 365 etc...).
For those on M365, set up a mail flow rule that actually rejects emails that fail DMARC (as opposed to going to Quarantine). Microsoft in their wisdom ignore the p=reject tag and decide to do their own thing.
Sysadmins that think their mail servers that they set up 15 years ago are still secure need to reconsider their profession.