When sending mails through our Exchange 365 service those mails get through successfully, but if we look at the mail headers we see that where the sender and recipient are in our tenant the mail's actually failed SPF; whilst if we sent mails to a third party (e.g. to a gmail address) the SPF is correct.
Specifically we see that the mail sent internally shows as having an IP in the ip6:2603:1000::/24 range (e.g. 2603:10a6:400:49::16... and that IP is not listed on spf.protection.outlook.com.
Similarly, when checking the headers of mails sent to third parties we see a DKIM selector is included in the mail's header. For those sent to other mailboxes within our tenant, no such header exists.
Others have been reporting the same for several years. Like those others I've spoken to MS support, but this scenario is off-script for them, so that got me nowhere.
My guess is that MS don't care about SPF/DKIM when messages are within tenant, as they know those mails are valid, so they don't filter them. However, I can't find any documenation to confirm this, and this seems wrong (e.g. if your mail client has its own logic to validate these, how would it know to trust them). This is a frustrating issue as when investigating real email issues it's harder to say whether mails failing these checks indicates a real issue, or, as valid mails also fail these checks, we're looking in the wrong place.
Usually, these Authentication checks are performed at the Edge of the Organization's network, thus it would make sense for these headers to be absent in internal email flow.
Other headers do offer clues about the email being an Internal email. For example, the
X-MS-Exchange-Organization-AuthAs: Internalheader tells you that the email originates from your tenant, or your on-premises Exchange Server through the use of a matching Exchange Online Inbound Connector of typeOnPremisesin case of a hybrid environment (if set up correctly).X-MS-Exchange-Organization-MessageDirectionality: Originatingis another one.This is actually a very comprehensive post on mail flow within an Exchange Hybrid environment, but is applicable to your question.
Your speculation about Microsoft's SPF/DKIM may be partially correct. Since the email is located in the same rental households, Microsoft may trust these emails by default, and will not apply the same screening rules as external emails. DMARC, DKIM, SPF are not used in internal emails, only for external electronics, only for external electronics mail,and I agree with Reinto's suggestion.There are also some discussions here:https://community.spiceworks.com/topic/2461253-internal-emails-have-no-dmarc-dkim-spf-authentication