Nathanael Hoyle wrote:

> For now, I have gone with a somewhat different approach. I actually
> have the primary MX listed as an IP that is a network boundary (and
> therefore flatly unusable), the advantage I see is that the connect
> attempt will fail notably faster than it would if it had to time out,
> which reduces the burden on legitimate hosts, but is still just as
> undeliverable, keeping the desired effect. I will post with further
> results as I have the opportunity to observe them.

I'm using a host that has no A record (NXDOMAIN) as the dead primary in
some of my configurations. While it applies less of a penalty, it isn't
RFC-compliant, so I'm not strongly recommending it:

RFC 2181, 10.3. MX and NS records:

This domain name must have as its value one or more address records.

It's conceivable that someone would filter on this criteria (although I
think it would be misguided, as long as there was a valid MX in the
list). Many people filter on the presence of bogons, so avoid using
these at all costs. Network boundary addresses come dangerously close to
being easily identified as invalid, so be cautious with this approach.

Wietse offered this advice in an earlier exchange:

"If you're concerned about listing a primary MX record without valid
A record, you could instead supply an IP address that immediately
returns a TCP RESET. This could be done with a packet filter rule,
or by giving a machine a second external IP address without an SMTP
listener on it."

Using a packet filter offers the opportunity for logging.