OK, se we want to move out company from using  the RAT table to querying and LDAP directory. 

Right now, my co-worker's email is in this AD dir and mine is not. I made a test policy that any email from my gmail to anyone in the LDAP group would hit this policy. We do not have anything set on the listener.

Now, if I email from my gmail to alex@myco.com it hits the rule as expected, but if I email from my gmail to dustin@myco.com it hits the default policy as expected.

TAC said the RAT table supersedes LDAP, but if that was true my email should have hit that rule also. They also said it would not check LDAP without it set on the listener, but that is not true it would seem.

So,

1) I guess in what order does stuff get checked, does policy supersede RAT which supersedes LDAP?

2) How do I set the group check on the listener? I can select a query, but unlike a policy it doesn't have a spot to add the group.

2b) TAC said we have to call the group on the listener and also call the group in the mail policies, but policies are not listener specific.

2c) If it's just set on the listener, do I have to modify the query to the correct group? IE change 

(&(memberOf={g})(proxyAddresses=smtp:{a}))

to

(&(memberOf={CN=fg_External_Email_Access,OU=Domain,OU=Functional Groups,DC=MYCO,DC=COM})(proxyAddresses=smtp:{a}))

3)Where/what does the RAT table play in it, do we blank it out once we set LDAP?

My biggest issue is there really is no easy way to test global email settings without causing issues. We get over 150k/day incoming emails on 3 ESAs. So, if we mess it up we can mess up 1/3 of our emails.