I’ve had a tagging rule in my email client to flag SPF issues found in the message source(X-Spam-Status codes) for a couple of years, so I was surprised at the claim of not having SPF in place. It looks like you have had it for at least some of your infrastructure for a while. You had me checking the relevant parts of a sampling of emails from you.
A) mail from your systems to EasyMail mailboxes, does go through your spam checker. Good
B) X-Spam-Status: having a test for SPF_PASS since about 2016 is Good
C) Received-SPF: showing details is a much newer thing, 2022ish., A good thing

Running that tag flagging on my entire mailbox, I only see one instance of a fail, and that was a subdomain/host I hadn’t seen mail from before, nor see anything about it now. Relates to one of your migrations, so may well have been a host name that doesn’t exist anymore. Classic simple Unix/linux mail command does send from user@hostFQD much to my own frustration.
Clearly some of the cobbler’s grandchildren got shoes before the children.

Historic DMARC isn’t something we can readily see, but we can look up now.

Some, but not all of your subdomains do have SPF records (for years) but not a DMARC

** Time to check them all! **

I thought it was Mark Twain with that quote.