Streaming Secure Messaging
In general you must force outbound mail into some realm and stream. It doesn't have to be associated with a particular client; in Hosted CanIt, for example, we made a special realm called outbound-container-realm and we force outbound mail into outbound-container-realm:default
Next: When CanIt sees mail forced into a stream, it assumes it's outbound mail. It uses the realm and stream of the *sender* to figure out which Secure Messaging rules to apply. So it all works as expected: If email@example.com sends mail out, the rules applied will be from firstname.lastname@example.org's stream and realm. If email@example.com sends mail out, even though the actual outbound mail is in the outbound realm and stream the secure messaging rules from firstname.lastname@example.org's realm and stream apply.
To recap: Forcing mail into a realm:stream using Known Networks is the *only* way CanIt can distinguish inbound from outbound mail and handle them correctly.