Microsoft
Microsoftbart_vermeersch Correctly identifying spoof is a good thing, but unfortunately, a lot of good mail is spoofed. One recommendation when first starting out is to either use a rule that sets the SCL to -1 (which overrides everything as long as your MX record points elsewhere), or - if you set the Spoof Action (in the Anti-phishing policy) to "Move to junk" - let your users know to check their junk folder for spoofed mail. One you see what important messages the system is identifying as spoof, you can go to the Spoof Insight and start overriding the most critical ones, then move towards a more secure configuration. Once you do start sending the mails to junk or quarantine, Spoof Intelligence can learn when users release the messages. But, the one critical bit is to get all of this tuned and figured out as best you can before you start switching MX records - the more that spoofing configuration is correct, the less likely you'll experience other issues as well.
And - as we call out in the document - if you see a lot of good mail getting caught by DKIM failures, make sure any message modifications are moved from the current filtering provider to Microsoft 365. We're looking to broaden our support for Authenticated Received Chain (ARC) in the future, but a lot of providers don't yet support it.