You can never trust MTA #3, because he never connects to any of your trusted forwarders.
Rate only the first forwarder outside the dotted boundary. Anything beyond that can be a total fake, including the IP addresses appearing in authentication headers!
A Trusted Forwarder must at least capture the IP address and declared ID of any connected MTA, and should also authenticate that ID.