A partial answer is available here, where it describes an Exchange security feature called the Header Firewall.

The header firewall removes sensitive x-headers from messages and prevents abuse. The article describes how they are configured, but stops short of listing all the headers, the meanings of the rights, or the relationship to the checkboxes.

That being said, I'll run the following command later to enumerate the various settings for send and receive connectors.

Get-SendConnector –Identity {name of Send connector} | Get-ADPermission | where {$_.ExtendedRights –like “*routing*”} | fl user, extendedrights

Get-ReceiveConnector –Identity {name of default Receive connector} | Get-ADPermission | where {$_.extendedrights – like “*routing*”} | fl user,extendedrights

Documentation on Authentication

• Externally Secured does not stamp any SCL X-headers on the message as an SCL of -1 would’ve bypassed Outlook’s checks. The only header this authentication type creates is X-MS-Exchange-Organization-AuthAs: Internal

Documentation on SMTP headers

• ms-Exch-Bypass-Anti-Spam extended right circumvents the Exchange Anti-Spam checks, not Outlook’s.