1. we should add a "allowed_domains" regexp for addresses that don't 
trigger validation (admins will be responsible for ensuring that their 
regexps don't let too much in of course)

2. I'm okay with adding a "central_validation_email" that if set would 
get all confirmation requests.

I think that our first pass would be to either...
- redirect the identity confirmation messages to a central address 
(perhaps Horde's $conf['problems']['email'])
- only invoked identify confirmation messages if the Reply-to or From 
contained a domain other than that server's "maildomain"

Not to be too picky, but sure, it'd be cool - any suggestions on how 
to do it in a way that doesn't make Horde overly complicated?

It would be cool if the identity creation confirmation email...
- was only invoked when creating an identity with a non-local From / Reply-to
- could be directed to central administrative user

Spammy users often control the addresses they use as From and 
Reply-to, so we don't gain a lot by having them confirm their spammy 
yahoo account.

Maybe there could be a web based admin tool to approve / deny 
identities.. something where the identity in question was displayed to 
the admin, so they could better judge whether the id was legit.