Jothand
Just do it, sme caters for all you want.
> Do I add their domain to any global whitelists?
You would add external senders to your whitelists if required.
> How do I insure that they don't end up on a spam list somewhere?
Referring to your users on your system, don't let them send spam or get virus infections that send a lot of spam.
> Whats the best way to secure the SME email server?
It's already secure by default, but don't use POP on external connections, use POPS or secure webmail (both available by default).
> Should I set up a back up email server in case this one goes down?
No, (unless you have a very high volume of email).
Email will be held in external queues and forwarded when your server is back up.
Also do not have/create a backup mail MX record, as this will only allow more spam into your system as antispam measures in sme are circumvented when you use a second backup MX record.
> If so, can someone point me to a good howto on the subject?
I think you need to read all the manuals too & this is not a RTFM suggestion, it clearly sounds like you have not read the manuals at all, as all setup is explained there.
http://wiki.contribs.org/SME_Server:Documentation