I agree with most of Dave's suggestions, but as a niggle:
Upon DKIM and ADSP evaluation, a receiver may decide to reject a
message during an SMTP session. If this is done, use of an [SMTP]
DKIM and ADSP evaluation are not performed during an SMTP session, unless the
session is delayed after the crlf.crlf, and that's not supposed to happen.
Why not? My MTA usually does a whole spamassassin run between the end
of data and the ack. It adds maybe five seconds, at a point where 5321
says the timeout should be ten minutes.
NOTE WELL: This list operates according to