You should publicly advertise a corresponding A record for the MX pointer, as a CNAME cannot used for that purpose. You cannot use a CNAME for the pointers covered by the SPF records either. It is not possible to have the same “Name” for a CNAME record and other records. So make sure your DNS settings are all good and SPF ready e.g.,
mx IN A PUBLIC_IP mx2 IN A BKPMX_PUBLIC_IP @ IN MX 10 mx @ IN MX 20 mx2 * IN TXT "v=spf1 include:_spf.example.com -all" @ IN TXT "v=spf1 include:_spf.example.com -all" _spf IN TXT "v=spf1 mx include:iap-example.com ?a:some-alternate-smarthost -all"
Note. If you need to fill-in a long list of smart-hosts that are not already listed in the TXT record of the IAP (free.fr in this case),
* 10800 IN TXT "v=spf1 include:_spf.nethence.com -all" @ 10800 IN TXT "v=spf1 include:_spf.nethence.com -all" _free 10800 IN TXT "v=spf1 ?a:smtp1-g21.free.fr ?a:smtp2-g21.free.fr ?a:smtp3-g21.free.fr ?a:smtp4-g21.free.fr ?a:smtp5-g21.free.fr ?a:smtp6-g21.free.fr -all" _spf 10800 IN TXT "v=spf1 mx include:sfr.fr include:gandi.net include:_free.nethence.com -all"
And check once those are populated (the delay mostly depends on the last records' TTL),
host -t mx nethence.com host -t txt nethence.com host -t txt spoof.nethence.com host mx.nethence.com host mx2.nethence.com
If you want your MX to be able to send messages to other secure SMTPs on the public network, you might have to fix your own PTRs (sometimes done at the ISP side which is holding your IP address).
PUBLIC_IP IN PTR mx.nethence.com. BKPMX_PUBLIC_IP IN PTR mx2.nehtence.com.