If an MSA host accepts messages on port 25 then DNS-MX records SHOULD
NOT point to this host.
This rule isn't necessary. SMTP server software can distinguish between
MSA mode and MX mode using the fact that the client did or did not
authenticate itself. The only caveat is that systems that work like this
have less scope for pre-authentication anti-spam techniques because some
of these tricks can disrupt MSA clients in unpleasant ways.
I thought that one of the ideas behind MSA was that you didn't need SMTP server
software that can distinguish between MSA mode and MX mode.
But i also saw a bit of your point, that is why i formulated it as a
recommandation (SHOULD) not an requirement (MUST)