tl;dr: Ensure the accepted domain(s) in Exchange Online are configured as Authoritative, not Internal Relay, even if you're in hybrid, to take advantage of Directory Based Edge Blocking.Those of you who have worked with Exchange Server for a long time and those familiar with cross forest migrations will probably know about Authoritative vs. Internal Relay domains. When a domain is set to Authoritative, email is delivered only to valid recipients in the Exchange organization. With Internal Relay domains, email is delivered to recipients that exist in the Exchange organization and other emails are relayed to another email server in a different location.
I've seen a number of customers (especially Exchange hybrid customers) configure their domains on-premises or in Exchange Online Protection as Internal Relay, thinking that this is required in order to relay emails on-premises or to their tenant. This isn't necessary because emails will still relay between on-prem and EXO using the targetAddress (aka external routing address) value, which always happens even if the domain is set to Authoritative.
Why is this a big deal? Well, Exchange Online online has a feature called Directory Based Edge Blocking (DBEB), which rejects messages for invalid recipients at the service network perimeter. Exchange Edge Transport servers will do the same thing for on-prem. DBEB prevents Exchange from accepting invalid emails, scanning them for malware and spam, perform rules processing, etc. when they have no hope of being delivered to a bad email address.
If a domain is set to Internal Relay, DBEB can't work since it would block unknown emails from being relayed to another server. With DBEB, Exchange performs a directory lookup before it even accepts the email. If the recipient address doesn't exist, Exchange rejects the email with a 550 5.4.1 Recipient address rejected: Access denied error. RFC states it's up to the sending server to generate the NDR back to the sender.