Let us assume that Exchange Hybrid Organization pointed its MX record to Office 365 or Exchange Online Protection, the mail flow works as shown in the below diagram.
In this article, we will see how the inbound and outbound flow works when the email routing configured to route through Exchange Online Protection.
Inbound Mail Flow
MX record point towards Office 365 Tenant -> Exchange Online Protection will receive the email and it will do the Recipient validation using Directory Based Edge Blocking, if the recipient is not available email will be dropped -> Anti-Virus scanning will occur, EOP has 3 AV engines -> Recipient resolution will occur like distribution group expansion -> Transport Rule will be applied, if any marked as SPAM using Transport rule then those emails will be quarantined -> Anti-Spam Protection will occur which includes, content scanning, outlook safe sender validation, URL blocking, bulk mail filtering, international spam filtering – > customer delivery pool and then to On-Premise Server.
Outbound Mail Flow
Office 365 or On-Premise user send an email -> Virus Scanning will occur -> Recipient Resolve -> Transport Rules -> SPAM Protection -> Outbound Delivery Pool -> Recipient MX resolution -> Recipient domain.
If an outbound email identified with high SPAM score, then it will delivered via high-risk delivery pool.
Above are the high level illustration of how the mail flow works in Office 365.