While you are making that API for checking local addresses, please don't forget to make provisions for cases where the sender is "by chance" hosted on the same box, and could perhaps be faking himself. This is especially important for some of the viruses I noticed fake the mailbox on domains hosted on my box, and they send mail to real people...! so these people should either authenticate, or at the very least, they should exist.
Aric
