Multi-domain on single server: DNS, multi-CoS, proxy and best practice

Hi everyone

For the past 2 years we've been using Zimbra under a single domain but I'm now looking to expand it so that Zimbra handles domains for various associates. So people who already have a Zimbra account can have an additional alias for @newdomain.com. Or create new accounts for @newdomain.com users.
At the moment our mail server is hosted over our ADSL connection but once I have built a new machine and got this procedure up and going

From the admin interface it looks easy to add a new domain but my questions are relating to the broader aspects of running a Zimbra server which handles multiple domains. I'd like there to be as little extra configuration needed as possible when adding new domains so I want to make sure I get it correct in my mind before I start.

So here are my questions...

1) Bind/named. We have bind/named running as the DNS server on our Zimbra server. This means I have to keep the local Zimbra copy of our DNS records in sync with our external DNS server (cPanel/WHM).
Is there any way I can have the DNS records synced from our external DNS server for those domains? Or is it not worth the hassle of setting up DNS replication?

2) Bind/named records. So to add newdomain.com to the DNS on our Zimbra server, I need to add this to named.conf...
Code:
zone "newdomain.com" {
    type master;
    file "db.newdomain.com";
};
Then create db.newdomain.com in the same way I created it for our existing domain?

3) A records. If I want users to be able to access the server using mail.newdomain.com then I'll need to set up an A record for mail.newdomain.com to point to the server's IP address. But because I only allow communication through TLS/SSL then surely when they try to access mail.newdomain.com they'll get certificate warnings because we have the commercial SSL cert under mail.domain.com
Is there a way to have per-domain SSL certificates to avoid these warnings?
Or would the server then need multiple IP addresses to support the multiple SSL certs?
I'm thinking I might not set an A record so users are forced to use our existing server address. That way they won't get any SSL warnings (which seem harder and harder to override these days!).

4) MX records. For newdomain.com should I just create an MX record to point to mail.domain.com?
Or should I create an A record for mail.newdomain.com pointing to the server's IP address, and have the MX record for newdomain.com pointing to that A record?
For mail delivery and spam filters, does it make any difference that the MX record for newdomain.com is actually pointing to a different domain's subdomain (eg: mail.domain.com as opposed to mail.newdomain.com)?

5) SPF records. We have an SPF record for our current domain which explicitly lists the only servers that can relay mail for domain.com
For newdomain.com I could either do an include: to domain.com so it picks up the existing SPF record for domain.com
Or I could just copy & paste the SPF record for domain.com so I have to maintain 2 identical SPF records. Not loads of work but if there's a way to slipstream it then I'd like to try. All mail from domains on the Zimbra servers will originate from the same IP addresses (our web servers and a private mail relay VPS).
Are there any downsides to including an SPF record from another domain?
Does it even work like that?

6) Mail relay. All our outgoing e-mail from Zimbra gets routed through an SSH tunnel to a private postfix VPS and delivered out to the internet from there. The hostname of this private relay is mailer.domain.com
Is there any disadvantage in having mail from newdomain.com being sent out onto the internet by a server within a different domain, eg: increased "spamminess"?
Or is it no problem so long as mailer.domain.com is listed in the SPF record for newdomain.com?

7) DKIM/DomainKeys. The reason we have all outgoing e-mail routed through a single external relay is that it makes it easier for us to use DKIM/DomainKeys without having to mess around with modifying any configuration files associated with Zimbra. The down-side is that internal mail isn't signed.
Is it best practice to have a different DKIM key for each domain?
Or could I re-use the key that we have for domain.com since the mail for both domains originate from the same server?

8) Zimbra proxy. Do I need the Zimbra proxy service for multi-domain support?
Eg: being able to access their mail from https://mail.newdomain.com instead of https://mail.domain.com?
Or is Zimbra proxy mainly for multi-server uses?

9) Per-domain global address lists. Will the GAL list all accounts on the zimbra server? Or just ones from a matching domain?
How do hosting providers avoid exposing all hosted accounts in the GAL, yet still retain GAL functionality?

Hope that was all clear and I'm looking forward to getting some advice on all this!

Cheers, B