This happens because Exchange 2010 automatically sets the attribute Require that all senders are authenticated to enabled by default.
To clear this setting, view the properties of the distribution group and double-click Message Delivery Restrictions on the Mail Flow Settings tab:
Then clear the checkbox for Require that all senders are authenticated and click OK.
Test-EdgeSynchronization -VerifyRecipient zzz.domain.com
Somewhat surprisingly, this result does not change when Require that all senders are authenticated is disabled.
I can't believe I've never run into this until now.
Before you ask, there is no way to change the default behavior of Exchange 2010 to create all distribution groups with the authentication setting set to disabled (unchecked).