All External Mail to Office 365 Fails SPF, Marked as Junk by EOP in a Hybrid Deployment

Are you sure mail flow is going directly from your Hybrid server to O365?

When you ran the hybrid wizard it should have created connectors locally and in O365, which will tread mail flow between the forests as internal mail. This means it will bypass the EOP/Spam checks and you should never see those SPF messages.

If your edge device is modifying the headers this may be causing your issue - between your server and O365 nothing should modify the message headers. Make sure you don't have an existing connector that may be overriding the ones created by the Hybrid wizard. You can always delete the existing connectors that were created and re-run the wizard to re-create them.

Check your transport rules in Exchange and make sure they are not modifying the message before going to O365, if they are disable them and test again to make sure those are not your problem.

Last (or maybe first) check that your federation is configured correctly. If it's not that could be why your mail is not treated correctly. This is where re-running the Hybrid wizard can you help you as well.