From a technical view, some customer environments with specific SPF record setups, downstream from DLP may observe soft fail errors in exchange online after reflect mode in DLP has been configured in front and backend.

Release : 15.x

Component : DLP Cloud Service for Email

Modifications to SPF records are not typically needed for Reflect Mode detectors for DLP Cloud Service for Email, once configured backend and in DLP. 

Some custom environments may require adding DLP GCP Cloud Service IP range (144.49.240.0/21) to their SPF records for their domains in their DNS to avoid soft fail errors in Exchange Online Protection (O365 or M365) downstream from DLP.