You may be confusing incoming and outgoing relaying
the /var/qmail/smtproutes settings are used to tell your qmail server to forward any email received for domain X to IP address Y rather than store it locally (unless IP address Y is down, in which case it will store locally until it comes up).
To allow your customer to use your hosting server to send email, the method you use will depend on your requirements. By whitelisting their IP in the appropriate place in Plesk (same place as 127.0.0.1 is whitelisted), no authentication will be required, end of story.
If you do want authentication, then they will need to use a username and password. To keep it whitelabel, you'd probably want to set up a full hosting account in order to be able to give them a username of firstname.lastname@example.org
but equally you could always just create email@example.com
-- why bother with the smtp? In either case, set the mailbox size to 0, or disable the mailbox, so that incoming mail gets rejected.
With SPF, just make sure the IP of your server gets added to the appropriate record.
Note that if their IP is balcklisted (e.g. marked as a dyndns or just generally blacklisted due to it belongong to an ISP), your server may mark their outgoing messages with a spam tag, or may reject completely if they are on a blacklist used by your server for incoming email. Use port 587 with authentication and no blacklisting to get around most of this. You may need to add some spamassassin rules to whitelist, or at least add a minus score, so email sent from their domain (fake-able) or IP address.
I hope this helps -- sorry for lack of detail.