I have been using Steadfast's filtering service for about a week now. Only got one spam in my inbox so far. (Of all emails routed throuh SF's filter) That's very good comparing to Spamassassin and several other pattern-based filters.

However, I just learned something others probably already knew. I don't know what's written in RFC, but it turns out that some spammers would hit your server directly without checking MX record.

i.e. :
mydomain.com A 10.0.0.1
mydomain.com MX mx0.steadfast.net

The spammer would just hit 10.0.0.1 directly. This is not good for those who have all services running on the same IP address.

Getting an extra IP address for receiving emails from mx0.steadfast and as an MX for other unfiltered domains, then block port 25 on other IP addresses fixes the problem.

If you're running your own server & plan on getting this filtering service, do not run MX on your domain's primary address.

Spammers will also take advantage of any backup MX records on your domain as well, so adding the spam filter as a higher priority MX will also leave the possibility of letting spammers through. The best configuration is to have only the spam filter MX in your DNS.

In any case, with our shared hosting, since the mail server is a separate physical box, sending email to the web server the A record points to is ineffective. Your suggestion is certainly a reasonable way to set up an MX.

Since we are now recommending avoiding the use of the main server IP for hosting sites, placing the sites on secondary IPs and setting the MTA to only listen on the main IP might be an option for some people, however due to the way most control panels operate, it might require some extra manual DNS and MTA tweaking.

I subscribed to a backup MX service for some of my domains. Please correct me if I'm wrong, but I think the backup MX service would accept the mail and attempt to deliver to the higher priority MX.

If I only have mx0.steadfast.net and mx.backupservice.com, at the end, all emails will be routed through mx0.steadfast.net.

The other way out that I can think of is to have an MX running on a non-standard port. (Imagine buying a server in Europe or Asia where they only allow 1 IP per box, or 24 IP addresses per cabinet!) But the catch is that all domains on this box must subscribe to the filtering service. SF filtering service is flexible enough to deliver on non-standard port.

The backup MX host should store the mail until the higher priority server is once again available. It should then deliver it to that server, which in the case of our spam filtering service, then delivers it to the appropriate destination server. So, yes, all mail should end up going through the mx0.steadfast.net host.

Yes, I only meant that if you used a backup MX in case our spam filtering appliance was down, which simply directed mail directly to your server, spammers might use that MX record and manage to bypass the filter. The secondary MX should not really be necessary in this case, as mx0.steadfast.net should never be down for long enough for email sending attempts to time out (generally at least 3 days).