Here's my suggestion: Rate limit the emails at a very low number, and require higher privileges for sending mass emails which must be granted on a per-mailout basis. Users that know they're going to send out a high volume would get an access token from IT (the process for doing so would have to strike a balance of convenience and security).
