I would try either updating your SPF record or updating Microsoft 365 first. If updating just one of them doesn't work, then update the other as well. Keep in mind that DNS and Microsoft 365 changes may take up to 24 hours to take effect, although typically a couple hours is enough.
In my first paragraph, I'm referring to the SPF record that should be set in DNS for your domain. Usually, the DNS name servers for a domain are set by your domain registrar (e.g., GoDaddy) to their DNS servers. The SPF record is a TXT apex record. (An apex record is at the root of your domain. DNS editing interfaces usually use @ for the hostname to denote apex records.) If Microsoft 365 is your only email provider, the SPF record is normally set to "v=spf1 include:spf.protection.outlook.com -all". Assuming your sending IP address is an IPv4 address, you would add ip4:x.x.x.x to your SPF record somewhere between the v=spf1 and the all. For example, if your IP address is 198.51.100.65, you could update your SPF record to "v=spf1 include:spf.protection.outlook.com ip4:198.51.100.65 -all". If you have a range of IPv4 addresses that the email can come from, you would enter the range in (classless) CIDR notation. For example, if the address range is 198.51.100.65 to 198.51.100.70 with a subnet mask of 255.255.255.248, that would have 29 mask bits and the SPF record could be updated to "v=spf1 include:spf.protection.outlook.com ip4:198.51.100.64/29 -all". Keep the range as small as possible. Using the same example, if the email can only come from 198.51.100.65 or 198.51.100.66 (e.g., the machines running Acronis True Image use only those two external IPs for NAT and the other IP addresses assigned to you are unused or used for other purposes), you could set your SPF record to "v=spf1 include:spf.protection.outlook.com ip4:198.51.100.64/30 -all". If the emails come from more than one IP address and they are not in the same subnet, enter them separately. Example: "v=spf1 include:spf.protection.outlook.com ip4:198.51.100.65 ip4:203.0.113.36 -all".
A few pointers for updating your SPF record:
- Some DNS providers have you enter the quotes (") at the beginning and end while others don't.
- The SPF record always starts with v=spf1 and ends with all.
- Be sure to keep the symbol before the all the same as it was (e.g., -all, ~all).
- The SPF record can be longer than 255 characters but each string must be 255 characters or less. You shouldn't run into this but, if you do, your DNS provider should have instructions on how to enter multiple strings in one TXT record. The tools below check the line length and will warn you if too long.
- After updating your SPF record, verify it with an online tool such as MxToolBox's SPF Record Lookup or dmarcian's SPF Surveyor.
As for allowing the email address in Microsoft 365, you can leave the email address in the Anti-spam inbound policy but, as of September 2022, emails from senders in the allow list that are from your domain must pass email authentication checks (SPF, DKIM, and/or DMARC). Updating your SPF record may be enough but, if it's not, or if you don't want to update your SPF record, add the email address and IP address to the Tenant Allow/Block Lists page. On that page, go to the Spoofed senders tab and add a new entry as follows:
- In the Add domain pairs box, add the sending email address and IP address formatted like AcronisTrueImage@yourdomain.com, 198.51.100.65. If there is more than one IP address, enter a block of IP addresses in CIDR notation like AcronisTrueImage@yourdomain.com, 198.51.100.64/30, or, if they are not in the same subnet, add multiple lines.
- Set Spoof type to Internal (assuming the email address uses your domain).
- Set Action to Allow.
Remember to update SPF and/or the Tenant Allow/Block Lists page if your sending IP address(es) ever change or the emails stop being sent (e.g., you switch to a different backup product).
