The DNS MX (Mail eXchanger) records for your domain are what indicates to the public where to send email for your domain. If you continue to use the initial DNS MX records that we suggest you use, you will start to get spam that bypasses our service. In this example, yourdomain.com is your domain name.

IN MX 10 yourdomain-com.relay1a.spamh.com.
IN MX 20 yourdomain-com.relay1b.spamh.com.
IN MX 25 mail.yourdomain.com.
IN MX 30 yourdomain-com.relay1c.spamh.com.

SMTP clients that send email to you are supposed to look up all of these MX records and send their email to the MX with the highest priority (lowest number). Only if it fails should they move on and try to deliver their email to the next lowest priority server. Notice that your DNS MX record is "sandwiched" between ours. The actual numbers listed in the priorities are irrelevant. The only relevant thing is the numerical order of the numbers.

However, professional spammers will look up all of the MX records for your domain, and instead of starting with the highest priority one, they'll either select an MX at random, or select the MX that isn't a known anti-spam service. This can result in them sending email for your domain directly to your email server instead of to us. Additionally, spammers tend to target the lowest priority MX record because these are often just "store and forward" email servers that queue email for the primary mail server and don't have any anti-spam system in place. You can determine if an email message bypassed our service by reviewing the Internet headers.

To prevent this, we recommend that you optimize your MX records by removing your email server from your DNS MX records.

IN MX 10 yourdomain-com.relay1a.spamh.com.
IN MX 20 yourdomain-com.relay1b.spamh.com.
IN MX 30 yourdomain-com.relay1c.spamh.com.

You still receive your email, because we don't look at your DNS MX records to determine where to send email after it is filtered. We use the "Customer Mailserver" setting in the SPAMSteward Control Panel for your domain name to determine the email server that handles email for your domain.

Additionally, any backup mail exchangers can safely be removed from your MX records because SPAMSteward's redundant mail exchangers now act as your backups.

This step is very important and is mentioned in the Domain Activation email that you receive when you first sign up. We recommend that you do this a few days after making the first DNS MX record changes. Although many people forget to make this change, it is very important that you follow up a few days later and ensure that it gets done.

When removing the DNS MX record for mail.yourdomain.com, it is very important to leave the A record (the record that resolves mail.yourdomain.com to an IP address) if you are using the name mail.yourdomain.com to connect to your email server to retrieve email, are using it to send email, or if you have us sending your email there.

There are three other reasons why spammers may not honor the MX record priority.

1. The spammers that have your email address in their mailing list also have the IP address of your email server cached in their mailing list database. This saves them having to look up the MX records for the domain name when they want to send you email. Because they don't have to do this DNS query which can take a couple seconds, they can send spam about three times as fast. Even though you have signed up for our service and are using optimized DNS MX records, hiding your actual mail server's IP address from the public, the spammers may still have your mail server's IP address from before you signed up.
2. The spammers that have your email address on their mailing list aren't looking up DNS MX records at all, but are just sending to the IP address that yourdomain.com resolves to without a hostname in front of it. You can sometimes prevent this by making sure that yourdomain.com doesn't resolve to the IP address of your email server, but perhaps to your web server instead.
3. The spammers that have your email address on their mailing list aren't looking up DNS MX records at all, but are just sending to mail.yourdomain.com. You can sometimes prevent this by using a different name for your email server, and making sure that common names for your email server (smtp.yourdomain.com, mail.yourdomain.com, etc) do not resolve to the IP address of your email server.

This is all speculation though, as no spammers have come forward and told us exactly why they are not honoring the MX records and are sending their email directly to your email server.

Firewall: The best way to ensure that email can not bypass our service is by making sure that your actual email server is not listed in the DNS MX records for your domain, and then by firewalling your email server so that only our email servers can connect to it. Since all of your legitimate email will be relayed from our email servers and not from anywhere else on the Internet, you can prevent anyone else on the Internet from being able to directly connect to it. This forces all senders to honor the MX records. Please see the documentation for the Firewall feature of the SPAMSteward Control Panel for more information.