I don't get a lot of info, but the URL (*.xyz) is kind of odd and might be the issue?

Weird, I don't see why a whole TLD would be blocked. Even Alphabet uses it!

I chose it because .io was way too expensive for my student budget and xyz looked cool.

I hate to say this, but on the server I manage at my day job, I've never, ever seen legitimate email traffic from an .xyz domain, or a .club, .rocks, .work, or any other "gold rush" TLD. Nothing but snowshoe spam/phishing/malware, to the point that my policy is "block on sight."