- setup the mta to use a EHLO name matching DNS for the IP

I continually get that the two do not match using the various email
testers. Yet the domain names do indeed match.

Care to share the logs of one of those testers?
When your server says "EHLO mx1.example.com" then the reverse DNS of the connected IP also has to be mx1.example.com.

A beginner's trap on systems with more than one IP address is to forget to explicitly set the right outgoing address. (Via src in the action directive.) Don't forget IPv6.

