I finally resolved my issue.
this topology work fine
Blockquote
inbound Internet to on-prem/online
DNS to our SEG --> Exchange on-prem | Lookup if Online --> Exchange onlineOutbound on-prem to internet
User --> Exchange on-prem --> SEG --> internetOutbound Exchange online to internet
User --> EOP --> Exchange on-prem --> SEG --> internet
Here is the documentation of our SEG
https://www.clearswift.com/sites/default/files/documents/technical-guides/setup-and-config/Configuring%20the%20Clearswift%20SECURE%20Email%20Gateway%20with%20Office%20365%20V3_0%20FINAL.pdf
Configure the SEG to Prevent Relaying Spoofed Email from
Office 365
To further limit the ability of third parties to use Office 365 accounts to relay spoofed
messages through your SEG it is recommended that you configure Office 365 to add an XHeader to all of the emails that originate from one of your domains. You can > then configure
your SEG to only deliver messages that appear to originate from your email domains and
contain the appropriate X-Header value. This will help to address any attempts by third
parties to use their own Office 365 account to spoof messages so that they appear to
originate from one of your email domains.