You can never trust MTA #3, because he never connects to any of your trusted forwarders.

 

 

Rate only the first forwarder outside the dotted boundary.  Anything beyond that can be a total fake, including the IP addresses appearing in authentication headers!

 

A Trusted Forwarder must at least capture the IP address and declared ID of any connected MTA, and should also authenticate that ID.