Dan,
The MS article requires you pointed out says one of the two conditions must be met:
1 - Sender domain must be a local domain
OR
2 - Use a certificate
Is there a reason why you can't use the first option?
Although I have to research this further, I assume by a certificate they mean using STARTTLS with a valid certificate for the domain you're trying to send from. Are you using STARTTLS in Xeams with a valid cert?