Enhanced Filtering for Connectors - Improving Deliverability and Minimizing False Positives

 The IP specified in the -SenderIpRanges parameter in the Transport rule should match the CIP:XX.XX.XX.XX (Connecting IP address) present in the X-Forefront-Antispam-Report header. In this case, it should be the third-party filter's IP address. After enabling Enhanced Filtering for Connectors, this allow rule would still work by setting SCL:-1, but it is not recommended as it will bypass the complete filtering stack. Instead, you can just enable Enhanced Filtering for Connectors, so that it will rescue only the DKIM and DMARC failures by stamping compauth:None for messages that would have previously failed email spoof checks.

Note: In Exchange Online, the IP address used during the evaluation of this condition is the address of the last hop before reaching the service. This IP address is not guaranteed to be the original sender's IP address, especially if third-party software is used during message transport.