I believe that your patch was for the web front end, but that would still allow people to join by sending email to listname-join@example.com. We wouldn't be running any web interface anyway. I wanted to disable all methods of users joining and only rely upon an administrative process to handle who joins. It's easy to imagine a corporate use case for this, such as "all people with offices in building 43" or "all employees with dependents on health insurance" where the definition of who is on a list is maintained in an external system. We're not actually a corporation - we're a professional society with different member classes in our membership database. In any case, the decision of who belongs on a list is not made by the user.
In the interim I discovered another problem with DMARC failures in gmail when mail is sent through mailman3. Mail sent directly from our exim instance doesn't have this problem, so perhaps it's a problem with SRS. I won't be investigating this further, but I'm sure that SPF hard fails will be causing more problems for mailing lists in the future.