You should publicly advertise a corresponding A record for the MX pointer, as a CNAME cannot used for that purpose. You cannot use a CNAME for the pointers covered by the SPF records either. It is not possible to have the same “Name” for a CNAME record and other records. So make sure your DNS settings are all good and SPF ready e.g.,
mx IN A x.x.x.x @ IN MX 5 mx * IN TXT "v=spf1 mx a -all" @ IN TXT "v=spf1 mx a -all"
or a more advanced flavor of it
mx IN A PUBLIC_IP mx2 IN A BKPMX_PUBLIC_IP @ IN MX 5 mx @ IN MX 10 mx2 * IN TXT "v=spf1 include:_spf.example.com -all" @ IN TXT "v=spf1 include:_spf.example.com -all" _spf IN TXT "v=spf1 mx include:iap-example.com ?a:some-alternate-smarthost -all"
Note. If you need to fill-in a long list of smart-hosts that are not already listed in the TXT record of the IAP (free.fr in this case),
* 10800 IN TXT "v=spf1 include:_spf.nethence.com -all" @ 10800 IN TXT "v=spf1 include:_spf.nethence.com -all" _free 10800 IN TXT "v=spf1 ?a:smtp1-g21.free.fr ?a:smtp2-g21.free.fr ?a:smtp3-g21.free.fr ?a:smtp4-g21.free.fr ?a:smtp5-g21.free.fr ?a:smtp6-g21.free.fr -all" _spf 10800 IN TXT "v=spf1 mx include:sfr.fr include:gandi.net include:_free.nethence.com -all"
Note. Gandi advocated SPF while Free does not
And check once those are populated (the delay mostly depends on the last records' TTL),
host -t mx nethence.com host -t txt nethence.com host -t txt spoof.nethence.com host mx.nethence.com host mx2.nethence.com
Also further validate using online tools or eventually the specific spfquery_static tool.
If you want your MX to be able to send messages to other secure SMTPs on the public network, you might have to fix your own PTRs (sometimes done at the ISP side which is holding your IP address).
PUBLIC_IP IN PTR mx.nethence.com. BKPMX_PUBLIC_IP IN PTR mx2.nehtence.com.
SPF Record Syntax http://www.open-spf.org/SPF_Record_Syntax/
What is an example of how a receiving mail server uses SPF? http://www.open-spf.org/FAQ/Examples/
The Demon Question: What about subdomains? http://www.openspf.org/FAQ/The_demon_question
FAQ/Common mistakes http://www.open-spf.org/FAQ/Common_mistakes
FAQ/Hints for ISPs http://www.open-spf.org/FAQ/Hints_for_ISPs
RFC 4408 - 8. Macros http://www.open-spf.org/RFC_4408#macros
Hardening Postfix For ISPConfig 3 https://www.howtoforge.com/hardening-postfix-for-ispconfig-3
Postfix SMTP Access Policy Delegation http://www.postfix.org/SMTPD_POLICY_README.html
More Information About Txt Record https://mxtoolbox.com/problem/spf/txt-record
HOWTO - Define an SPF Record http://www.zytrax.com/books/dns/ch9/spf.html
Setting an SPF record for all subdomains of my domain https://serverfault.com/questions/344103/setting-an-spf-record-for-all-subdomains-of-my-domain
Can SPF records contain domain name wildcards? https://serverfault.com/questions/228985/can-spf-records-contain-domain-name-wildcards
Implement SPF In Postfix https://www.howtoforge.com/postfix_spf
SPF Record Testing Tools https://www.kitterman.com/spf/validate.html
SPF Record Check - Lookup SPF Records https://mxtoolbox.com/spf.aspx
SPF Record Checker https://www.dmarcanalyzer.com/spf/checker/
SPF Record Check https://dmarcian.com/spf-survey/
Check your SPF and DKIM keys https://www.mail-tester.com/spf-dkim-check