I ran into something similar with the DMV. It took a dozen calls to help them understand why RFC1918 private addresses in public MX records won't work. They wanted me to email the details...
Another 3 letter agency that shall not be named tried every two years when their certs would expire to order us to install their server certs into all 50k of our servers rather than just installing their intermediate cert correctly. That went on for 6 years and they finally corrected their behavior. Nobody would believe me if I said which agency was doing that and they do not respond well to embarrassment anyway.
I guess what I am suggesting is to give them time. It will probably take a bit to escalate internally.
Another 3 letter agency that shall not be named tried every two years when their certs would expire to order us to install their server certs into all 50k of our servers rather than just installing their intermediate cert correctly. That went on for 6 years and they finally corrected their behavior. Nobody would believe me if I said which agency was doing that and they do not respond well to embarrassment anyway.
I guess what I am suggesting is to give them time. It will probably take a bit to escalate internally.