In order to protect against these, once you have set up SPF, you should also configure DKIM and DMARC for Office 365.To get started, see Use DKIM to validate outbound email sent from your custom domain in Office 365.
If you want to stop the clients, you must uncheck, "Register this connection" checkbox in the NIC's IPv4 properties.
However, if you have purchased Office 365 Germany, part of Microsoft Cloud Germany, you should use the include statement from line 4 instead of line 2.
For example, if you are fully-hosted in Office 365 Germany, that is, you have no on-premises mail servers, your SPF TXT record would include rows 1, 4, and 7 and would look like this: If you are already deployed in Office 365 and have set up your SPF TXT records for your custom domain, and you are migrating to Office 365 Germany, you need to update your SPF TXT record.
To do this, change include:spf.protection.to protection. For advanced examples, a more detailed discussion about supported SPF syntax, spoofing, troubleshooting, and how Office 365 supports SPF, see How SPF works to prevent spoofing and phishing in Office 365. Read Troubleshooting: Best practices for SPF in Office 365.
SPF is designed to help prevent spoofing, but there are spoofing techniques that SPF cannot protect against.
Recipient mail systems refer to the SPF TXT record to determine whether a message from your custom domain comes from an authorized messaging server.