OK, after much research it seems the best (at least to my mind) solution is to use an A record rather than CNAME for the domain level record.
You may be screaming "what! but the IP address is dynamically assigned!". Yes, but only if you tear down your deployment and replace it. Windows Azure will keep you VIP address so long as you publish to staging and use the "swap production and staging" option. Doing so preserves your VIP address so you can use an A record in your DNS instead of a CNAME.
See http://www.windowsazure.com/en-us/develop/net/common-tasks/custom-dns/ for some background.
Note MS official line is to recommend CNAME rather than A record due to the possible swapping of an IP address, but I guess they are not thinking about people wanting to run http://mydomain.com on the Azure platform.
I did also find other possible solutions including building an SMTP listener into you app that reads mail on port 25 and forwards it back out. Technically good, but sledgehammer and nut spring to mind, plus it's one more thing to go wrong, and of course one more bunch of resources to pay for.