I struggle with this every day as well.
To prevent relaying or delivery of Spoofed Spam the "Enable domain's SMTP auth setting for local deliveries" setting in SMTP IN and "Require SMTP Authentication" on Domains is necessary. However, doing such means that any email addressed from a domain that is not sent by your Mail Server is going to bounce with the "550 Authentication is Required for Relay" message.
In an ideal world we would take the hard-line and tell customers that their web application must simply use SMTP Authentication in order to send email as FROM: an address on their domain. However, it is not an ideal world and sometimes there are outdated web apps that still don't allow for SMTP Authentication, or 3rd Party Providers (such as Quickbooks, MailChimp, Constant Contact, etc.) that insist on sending email using their own Mail services addressed as FROM: the customer's domain.
SMTP Bypass is one way of handling the problem (which doesn't always work as intended). Alternately you can disable "Require SMTP Authentication" from that domain. There are potential repercussions of either course of action.
I'm not aware of any other solution. I, for two, would also like if SMTP IN did take into account SPF/DMARC before rejecting with a 550 Authentication is Required for Relay, because it is a daily struggle when SmarterMail does not take into account 3rd Party Services & Providers that legitimately address their email's FROM: the customer's account.