I would not say it should only be done with SASL. We should clearly
state in the documentation that the input mailadresses must be validated
to prevent fraud, but this should not be limited to SASL-AUTH in any
way. A simple turn-on/tun-off option for solution 3. would be my favourite.
The rest is up to the administration.
I have put it on the todo list. It will be included with the next release.
Djigzo open source email encryption