In O365, SPF authentication fails and the message header shows the following.

Authentication-Results: spf=softfail (sender IP is xxx.xxx.xxx.xxx)
smtp.mailfrom=example.com; dkim=pass (signature was verified)
header.d=example.com;dmarc=pass action=none
header.from=example.com;compauth=pass reason=100
Received-SPF: SoftFail (protection.outlook.com: domain of transitioning example.com discourages use of xxx.xxx.xxx.xxx as permitted sender)

ESS does not support Authenticated Received Chain (ARC). As a result, when a message is forwarded to O365, the original IP address is replaced and SPF authentication fails. 

There is no way to address it in ESS. Please try not to use SPF authentication in O365 for emails forwarded from ESS.