What, if anything, can be done to prevent and/or limit a DA from accessing any mailbox on the domain?

By default, domain admin's have deny permissions, but they can over ride them. The best thing to do, would be to take people out of the domain admin group, and delegate the specific permissions they need to do their jobs. My personal theory is taht no one ever needs to be a domain admin. You need the account when you install exchange, etc but otherwise I delegate control.

There are instances where "someone" needs to have that ability. Not a good practice, but it seems that people will eventually have this right. It comes down to bad apples. The better approach is to keep honest people honest, and fire the others. There are multiple vendors out there that sell e-mail security systems that have details as to who has been up to what. If you divide e-mail and general server admins, it makes it a much smaller crowd to keep honest. Any security group can be given the right to perform e-mail maintenance, it does not have to be (and actually should not be) the domain admin group. If someone knows there is going to be a record of them snooping, it will stop the casual e-mail browsing to find out if "Bob and Tammy are doing it" or if "Bob makes more money that me". But, you have to ensure the persons that have e-mail admin rights are not the same people maintaining the security software/devices that log it. I guess what it comes down to is trust. Find people you trust, and put safeguards in place so that everyone knows what to expect if they violate that trust. This holds true across e-mail, as well as anything else on the network that holds data. Do you know when an admin browses through your finance's excel spreadsheets that contain everyone's salary. Of course finance shouldn't have such a spreadsheet, but they always do. Also, be aware that we Admins usually don't like being monitored very much. You will most likely find extreme resistance to anything that keeps tabs on Admins. But, it is for our own good I guess.