I have DSNWatch turned off on the 1-to-1 Email NAT IP, is this the only thing that needs to be done? Documentation is lacking, to say the least. I do not want the email server DNS interfered with as that opens a whole new can of worms.
Exactly where are you seeing the option to disable DNSWatch for this IP addr?
I am not aware of it.
Also, what XTM version are you running?
Removing the NAT IP from the protected IPs would remove that IP from getting responses from DNSWatch.
If you're using DNS forwarding on the firewall, you may wish to disable that, as it will globally forward all DNS lookups, regardless of where they come from.
I would suggest leaving the mail server protected by DNSWatch, as DNSWatch will resolve MX records with no issue. Removing the protection means that any blackholed IPs will be resolved to their actual IPs on the mail server.
WatchGuard Customer Support