So I had this case with another IT provider who sends messages with failing SPF and thus marked as spam. That IT provider resists updating their own DNS for no reason. They were in contact with Office365 support (security and compliance team) who mentioned "adding domain to allow list" as a viable solution. Microsoft docs states very clearly that this is not recommended and is a high security risk. It's crazy to see that Office365 support (security and compliance team!) would suggest doing that..