O365 Exchange connectors apply spam filters before checking certificate

If you have devices like multifunction printers which need to send email the MS solution is to configure an inbound email connector.

You can use source IP to identify the origen of incoming messages and to associate them with the inbound connector. However the best way is to use a certificate in the TLS session. 

So far so good. However theres a design problem. MS applies RBL filters seemingly before checking either the source IP or the certificate. If the IP appears in the list MS simply reject the connection.

The makes no sense as they are checking against the spamhaus general rbl. This RBL contains all dinamic IP ranges. I don't know for other countries but where I am even if you contract a fixed IP, the IP address they assign you is still in the dynamic IP range, its just fixed. This means that the reverse lookup on the IP address shows a name with dynamic in it. Spamhaus automatically include these in their RBL.

Most companies will have a normal fiber connection, with a fixed ip or not. Those fiber connections will almost always be included in a spamhaus rbl as they are not going to be running mail servers.  

Thus checking the IP against the general spamhaus RBL makes no sense as it is going to automatically block almost everyone who would actually use an inbound mail connector.

Does anyone know how to communicate this situation to whoever controls this in MS?

Ian