Mark Andrews wrote:
It doesn't however mean you cannot send mail from that
machine however. You just have to set an appropriate mail
domain for outgoing mail.
Rather than toster(_at_)toaster(_dot_)example(_dot_)net the mail would come
from tosterXXX(_at_)example(_dot_)net or something similar if you
were using "MX 0 .".
JFTR, that is a nullmx for toaster.example.net, and the host
toaster.example.net can send MAIL FROM tosterXXX(_at_)example(_dot_)net
(or from almost any address excluding @toaster.example.net).
Mail to <postmaster> at this host is still supposed to work.
I couldn't tell without cheating (= looking into 2821bis) if
that's MUSTard, SHOULD, or between the lines.
Non deliver reports don't have to go back to the originating
machine.
I can sing "originator as indicated in the reverse-path", in
moments when JohnK would seriously wish that I don't try to
sing, at least not on this list.
BTW, your example also shows another reason why "v=spf1 -all"
is not the same as nullmx. The toaster.example.net MTA using
this FQDN in its EHLO needs "v=spf1 a -all" (added "a") or
another way to indicate that it's permitted to use this name.
When it sends an NDR or any mail with an empty reverse-path
receivers checking SPF look for a policy associated with the
EHLO name, and that is generally recommended in RFC 4408 for
the purpose of rejecting abuse of EHLO names, not limited to
empty reverse-paths.
Clearly nobody is forced to protect EHLO names with SPF FAIL,
but if they do they better get this right.
Frank