Hi, J

I get what you're saying. You can always whitelist that user's IP address on the server. That should override the system-level authentication block for that country. At least that way you don't unblock an entire country for one user of one domain. 

The downside is this user burns through IP addresses like it's going out of style.  Unless we require them to obtain a static IP (which is null and void if they mobile) or they purchase a VPN that offers static IP access it's essentially a non-starter.

Unfortunately, it's becoming less and less effective to safelist IP addresses because end users go through them too often.  It works better for servers and such where their addresses never change (or rarely) --

We will continue investigating what options are available --

If the issue was limiting inbound email from foreign countries, you could dedicate an inbound gateway to that domain.   But I gather the issue is that he wants to retrieve email from foreign countries.

Our process, which may be a tough sell for you:

We block all remote access from foreign countries, which includes no email to your cell phone.  Some employees travel to foreign countries for personal reasons but still need to log in remotely to do work or to check their work email.   They use their personal email to send us their current public IP address, and we enable that one IP address until they move to a new location or return home.   It works for us because employees have to put up with our rules. It may not work for clients who feel free to take their business elsewhere.   But it is safe. 

For what it's worth - we're basically doing the same thing with one domain we host. They have two users that connect via a VPN with static IP assignments and it works well for them. We are very strict on the "foreign country access" for authenticated activity. The situation for this one edge case was the inability to maintain a static IP for this particular user.