Whenever I have utilized a cloud-based spam filtering service, I have always adjusted the SMTP rule on the firewall to only accept traffic from said service. However, I have recently seen docs/articles directing to adjust your email server to do this task instead (i.e. locking down the receive connector on the Exchange server).
My thinking to this would be that the less work the server has to do the better, and it seems a job more suited for the firewall anyway.
Am I missing something? What would be the advantage(s) to having the email server handling this task, over the fw?