Oscar,
I would say for:
1. setting an specific standard account, lets say, oacs-emails,
so then you just make your proc to go the directory and schedule it to parse them all! The solution should support any kind of MTA.
2. could have
email-id, so you get a mapping table where the answer belong to
user-id (or a crypted form of it), and you can verify if the users emails from where you are getting the message is the same to the registered email from that user-id. I don't see another clear way of checking it right now.
3. its better to use already proven stuff, specially for email parsing that changes time to time
