Thanks Andy.
My main role in mt org is mdm intune etc but I have been tasked with this so want to make sure I get it right.
The issue is our sec team dont know as much as they think.
I have put forward this fix as you have suggested and received the following response
sendinblue servers are a spoofing agent, its not just our guys that can use sendinblue to send out emails as @ourcompany.... in theory anyone can, and now they are also getting marked as ok on SPF....Thats the reason I wouldnt have done it that way, far to risky to the business domain externally, not much risk to our guys mind u.
IMO this is incorrect as we have dkim and dmarc in place to stop the above from happening. So there is no concern there if I am correct?