Dan,

The MS article requires you pointed out says one of the two conditions must be met:

1 - Sender domain must be a local domain

OR

2 - Use a certificate

Is there a reason why you can't use the first option?

Although I have to research this further, I assume by a certificate they mean using STARTTLS with a valid certificate for the domain you're trying to send from. Are you using STARTTLS in Xeams with a valid cert?