If an email is delivered to the inbox in M365 even though the email fails DMARC, the first thing to look for is the Antispam Report in the headers of the email. If the Spam Confidence Level is set to -1, this means that the email was delivered due to a rule defined in M365 as shown below.
X-Forefront-Antispam-Report:
CIP:10.23.45.67;CTRY:US;LANG:en;SCL:-1;SRV:;IPV:NLI;SFV:SKA;H:o5.notifications.acme.com;PTR:o5.notifications.citrix.com;CAT:NONE;SFTY:;SFS:;DIR:INB;SFP:;
There are two main places to look for these rules.
To find the rules, log into M365 as an admin and go to mail flow and click on 'rules':
Examine each rule to see if the IP, From address or other information in the email is listed in a mail rule. By clicking on a rule, you can see the configuration as shown below:
Another place to look is the spam settings. Specifically, look at the allowed domains and allowed senders to ensure that the email was not allowed based on it's domain
