I did a search in ADUC using ldap query (|(proxyAddresses=smtp:user@site.org)(mail=user@site.org)) and for all 6 of my accounts with issues I only got one response not mulitple. The linked article suggest querying the Azure AD but doesn't say how?
As for syncing, it appears what you are saying is that if you want on-going sync you must allow dirsync to sync entire domain and cannot have ongoing filtering. This means all users and groups are always going to be synced correct? As I mentioned I am in hybrid mode with some on premise Exchange and some Office 365 users. The on premise are @site.org and the Office 365 are @student.site.org. I don't want the @site.org to be hosted / controlled by Office 365. If I add it as a domain what will happen to those accounts?