One of the first things you should update before integrating Exchange Online or EOP into your mail flow is your organization’s SPF record. If you plan to use EOP as your perimeter gateway you may think that the O365 IPs are all you need, and you can get away with an SPF record that looks something like this:
v=spf1 include:spf.protection.outlook.com -all
Unfortunately, that isn’t the case. When Exchange Online shuffles emails around internally between tenants, any message from your on-prem environment will still need to be validated against your SPF record. What’s even more interesting, is if you have mailboxes in Exchange Online, Exchange on-prem, and decide to put a perimeter gateway like Proofpoint in front of EOP, then you get to have three sets of IPS (Exchange Online’s, your on-prem environment’s, and your Proofpoint gateway’s) in your SPF record!