Re: Open Resolver Public DNS problem, 8.8.8.8
No, it has nothing to do with any particulars of the mail transmission path. It's a DNS lookup volume issue.
Spamhaus (and most other public DNSBLs) put a limit on how many DNS queries "you" can do for free. Most place that limit at 100k queries.
That's a fairly large mail system - a small private system doing direct lookups will generate on the order of hundreds to maybe a low thousands per day.
Each and every SMTP connection to your server will generate a query to the DNS cache you have configured. At a small scale, that will be passed on to Spamhaus' DNS servers each time because the cache timeout for DNSBL data is generally pretty short. As mail volume goes up, some of the lookups will be found in the cache instead, saving a query direct to Spamhaus.
If you run your own cache, you'll stay within the free limits for quite some time - easily 10k+ mailboxes and 200k+ messages/day for general ISP mail traffic.
However, if you're forwarding DNS queries to a big public cache, Spamhaus only "sees" the query from the public cache - there's no (trivial/simple) way to see the individual cache users. So the query volume from these shoots past that free 100k-query limit in a matter of a few minutes each day. DNS is pretty lightweight..... up until you start looking at large platforms, supporting literally billions of queries daily. It costs big money to run a system capable of supporting that query volume, so they insist high-volume users pay for either a datafeed or "authenticated" direct query service.