MTX Policy records, which are optional, allow you to specify the extent to which your domain is participating in MTX, and therefore the extent to which an email from your domain without an MTX record should be penalized.
If you don't have an MTX Policy record, it is treated as if it has a value of 127.0.0.0, meaning "Don't penalize IPs without MTX records any more than non-participating domains.", applied to the entire domain.
MTX Policy records are DNS "A" records named in the form "policy.mtx.example.com", with a value as follows:
Participation:
| SA Score | |||
| Not defined | None | Not participating, prefer no penalty. | 0 |
| 127.0.*.0 | Neutral | Not participating / Don't penalize any more than non-participating domains. | 0 |
| 127.0.*.1 | SoftFail | Mostly participating. Subject to further scrutiny (greylisting). | 1 |
| 127.0.*.2 | HardFail | Completely participating. Reject. | 100 |
MTX Fail includes all results other than Pass (None, Neutral, SoftFail, and HardFail). The goal is, with full participation, being able to reject all email without an MTX Pass, and ignore MTX Policy records.
SoftFail means the IP is not believed to be a legitimate transmitting mail server, but it's not certain.
Delegation to subdomains:
| Not defined | Not Delegated | |
| 127.0.0.* | Not Delegated | Participation level applies to this domain and all subdomains. |
| 127.0.1.* | Delegated to Subdomains | Participation level applies to this domain and any subdomains that do not have their own Policy record. Use subdomain Policy records. |
So in bind DNS server syntax, the following would specify that any email from the domain chaosreigns.com or any subdomain without an MTX record should be rejected (HardFail):
policy.mtx.chaosreigns.com. IN A 127.0.0.2
When testing these records, ignore the second octet, as it might be used for something in the future.
Check the relevant MTX record first. If it has a value of 127.*.*.1 or 127.*.*.0, skip the MTX Policy lookup. An MTX record value of 127.*.*.0 is also a HardFail.
If the MTX Policy record exists, but the value doesn't match anything defined above, treat it as undefined.
For figuring out where to find the first Policy record, my implementation uses Mail::SpamAssassin::Util::RegistrarBoundaries::trim_domain, and so far I'm very happy with it.