DMARC requires alignment to pass. Alignment is the domain verified for SPF or DKIM must pass either check and be the same or a subdomain of the From header. Emails are sent from your domains, but the RFC5321 Mail From domain used by the vendor is @loanspq.com. This means receivers are not evaluating your domain for SPF when receiving emails from this vendor, but loanspq.com. Adding their recommended entry in your SPF record, as of right now, would make no difference.
The goal here is to contact the vendor and request that the RFC5321 Mail From address (also known as the return-path, envelope from) matches your domain. If they support that configuration, they will provide you the steps to follow in order to configure it.
Ah, ok, that makes more sense now. I’ll have them change the loanspq.com to our domain if they can. If they can’t (or won’t) should I change the from header to match loanspq.com emails subdomain to keep the emails from being rejected when I (eventually) change my DMARC rule to reject?
It truly depends on what the vendor supports. You are effectively at the mercy of how they codified their system and support the way they send on behalf of their customer’s domains. Not all 3rd parties are created equal.
From a technical perspective, either they need to align with SPF, DKIM or preferably both, or they should not spoof your domain at all. If they can’t support DMARC in anyway, but the business decides to keep this vendor, then it would need to be isolated to a subdomain for which a DMARC policy be deployed of p=none, which is not idea as you would imagine.
For now, contact the vendor, and communicate your plan and timeline for deploying a DMARC enforcement on your domain. If they need help understanding what DMARC means for them as sending on behalf of your domain, you can direct them to the following.
Hopefully they will be able to provide you with a path forward.