In short, I have a transport rule in Exchange 2007 to block a DDG from receiving email from the internet, only internal email allowed. In transitioning mail server to 365, I'll be sending mail to these users via a local smtp server that connects to AWS SES that sends the mail back to exchange, however these are treated as "outside" obviously. I could add an exception to the transport rule to allow email from an address or distribution group to come through, but then I worry about spoofed emails getting to users and them thinking it is from an internal user. I'm also considering adding an exception for anything with "out.amazonses.com" text pattern in the header through so anything coming from AWS SES is allowed, but then that would allow any email from amazonses.
Any other ideas or which would be best to limit this group during the transition?
Also, going forward with 365, I'll probably set up a relay in 365 and redirect this local SMTP server to authenticate and connect to it, but will I be in the same position with 365 that the emails coming from my local SMTP server will be considered "outside"?