Under the RULES make sure to enable the TWO RULES as SHOWN in the screen shot
**Note:** the RULE "**Proofpoint lockdown...**" ***MUST NOT*** be enable for the first day. Enable it only after couple days. this RULE will basically Lock Down your tenant and only accept message that are coming from Proofpoint IP address, otherwise the email will be rejected. If you have a device sending directly to office365 you MUST add its IP address in the EXCEPTION list