One of our clients, a large enterprise, had Exchange Online but also decided to use a 3rd Party Mail Gateway, called ProofPoint but could any of them, such as MIMEcast etc. Their emails were all routed through the Mail Gateway for mail-hygiene tasks to be completed by that product, so their MX record for their Exchange Online services would be pointing to ProofPoint. The made the Mail Traffic Flow look like this;

Sender.Bob —> Mx Record send to ProofPoint —> ProofPoint mail-hygiene —> EOP —> Recipient.Bill

That is all well and good, but the problem is that Exchange Online Protection, when it receives the email will see ProofPoint as being the sending IP address of the email and SPF (Sender Policy Framework) will fail and the email could be rejected

Enhanced Filtering for Connectors is available to help EOP skip the 3rd party IP addresses, and judge the sender based on the correct information

You can enable Enhanced Filtering by going to and creating a policy that includes the IP addresses of your 3rd Party Mail Gateway senders.

More information, as well an examples of how to use PowerShell are found at the MS article