We recommend to clients to block any inbound traffic from the internet EXCEPT if it comes from proofpoint.
However there's a weird case in Office365 where Meeting Forward Notifications don't follow the normal mail path and is considered "external" mail by Office365 so you get a bounce saying "invalid IP address' as in the example rule below. You can bypass this by putting an exception as pictured below.
