The fact that you have configured dkim, spf, dmarc and ptr is fine (by the way, this is far from all - mta-sts is also highly desirable and it would be nice if tlsa dane took care of it) - but what does this have to do with the fact that with all this verification the mail HOST SERVICE ?
If your client, for whom you are worried, has a mail service set to "accept everything", then he will receive all phishing letters supposedly from you. Well, it means he is SSZB. You did what you could.
In your situation, it was so - your mail service was not strictly configured to receive mail (and this, by the way, is correct - because it is generally unacceptable not to receive important and necessary mail - you need to slowly tighten the protective nuts).
PS
What you wrote in dmarc "quarantine" is a recommendation to the service of the receiving party - he can fulfill it, or maybe wipe himself, because he is not obliged to take into account your Wishlist!
Here is my example for you (in general, p=reject is written in my dmarc). Once, when updating the server, dkim completely crashed, and the pre-scheduled mailing list went away. So what ? In gmail, letters successfully got into the "Inbox" for all clients, although the dmarc report that gmail sent indicated that dkim was missing. It's just that gmail decides what to do with the letter based on its own rules and my p=reject doesn't give a damn about it :)

why incompetence? the default behavior is to take everything
further, the admin configures the rigidity up to spamassasin with a captcha confirmation
, apparently, the admin is the hoster, so I learned from you for the rigidity - configured

It is not enough to configure the records, the mailer must also check them.
None of the headers shown are related to spf and dkim. Maybe they don't check?
From a gmail message:

ARC-Seal
ARC-Message-Signature
ARC-Authentication-Results
Received-SPF
Authentication-Results
DKIM-Signature