You should be able to get by with just a DKIM entry. For any service beyond your own email service, the return path with never be properly aligned. That's where SPF comes in. Even if you add the proper SPF record, it will still fail SPF. With a proper DKIM entry, it should pass. (I'm using a similar method for MailChimp.)
Go with these DKIM entries.
Host: squarespace._domainkey
Value: squarespace-domainkey.squarespace-mail.com