Good luck with AWS/Azure IP addresses. Most cloud providers have their entire IP blocks of compute services (VM, etc.) blacklisted by the majority of DNSBL and antispam actors. If the EC2 instances act as the last outgoing relay (the last IP) you will encounter email being rejected by recipient mail servers at some point.
Best solution is to have your own AS number and IP ranges and your own hosting.
Mailinblack does this for more than ten years now, mostly in France. This technique is called a "challenge-response" filtering. It does work pretty well with other antispam techniques. Their solution send a daily digest to the user (x per day) of quarantined emails, allowing them to liberate legitimate emails of lazy senders who do not respond to the challenge-response email. They also use outgoing emails from users to populate their personal whitelist.
From my experience, it seems that the daily digest is not enough :). And they still seem to blacklist WebEx invitations, which is really weird as it is definitely a "standard" in web-conferences.
The Jaff waves and the massive amount of threats make it really hard to identify. Wannacrytor may not be found directly attached in the mail, only a downloader for it (like office docs/pdfs/js) might be.
There is also a mistake inside the DNS part. DNS queries are done from the client - and this is actually true for a majority of client/server requests - by opening a dynamic random port above 49152.
Best solution is to have your own AS number and IP ranges and your own hosting.