It is solved by the product. You tick a box, and internal mail is bypassed.
The issue here is that developers and IT folk seem to think that email is easy because the know IT. Email is a complex, and old protocol that has many nuances and, believe it or not, phishers are smart; end users are naive, and often reckless. Spammers, be they benign or otherwise, can be incredibly lazy too, but don't think for one second that you, as a postmaster, are cleverer than they are. Spam and phishing are getting harder to beat. Businesses like Proofpoint, Cisco and Mimecast, along with the likes of Google and Microsoft, are investing heavily in trying to beat these guys, but the reality is that they are always at least two steps ahead.
At scale, that’s not an option. If you have external services that send mail to your Workspace tenant, there is a risk of compromise to the sending service, especially if it is outside of your control. The sending service could have SPF records that permit sending mail on your behalf. That mail needs to be scanned. There is also the threat from bad actors inside your perimeter. Sure if you’re a small operation, or using Workspace as a personal mail host, this may seem like overkill, but I can assure you that the majority of orgs that use Workspace (it a business too after all) would prefer the status quo.
> Bypass spam filters for internal senders
Is this what you are looking for?