Why would the HELO_DYNAMIC_* rules trigger on these headers? Surely it's ok to have a dynamic IP as the *source* of a message, just not in a relay..?
It looks like it might be a trust path issue.. are the brandeis.edu hosts trusted? If so, SA would be correct in deciding a dynamic node from attbi.com dropped mail off directly.
What do the *.home.jay.fm hosts resolve as when the machine running SA does a DNS lookup? are they reserved IP's? If so, you'll have trust path issues and need to manualy define trusted_networks.
