Oh and interestingly I had to set a separate transport rule in M365 in order for M365 to follow our DMARC policy for internal emails. A bit weird, but there you go.
I've modified SPF and set up DKIM and DMARC for my organization and 2 other organizations we merged with in the past year. They're fairly small-sized, but it was definitely a fascinating learning experience if not a bit of a pain. I ended up using Postmark for RUA reporting.