It's been a while since I've messed with the details of mail servers, but it would seem that if a server passes the graylist test once, that's a good indication that it will continue to pass it, so you may want to see if you can have the graylist process allow the 2fa mails after the first one makes it through with retries.

Won't help much if they have a large outbound cluster though.