Another idea is to use a redundant entry like this:
10 primary.foo.com. 20 secondary.foo.com. 30 primary.foo.com.
This would be relatively simple for slightly smart spamware to see through. I'd add a second A record for primary and put that in 30:
also-primary.foo.com A aa.bb.cc.dd 30 also-primary.foo.com.
I have an address known not to have a listening SMTP server (packets are dropped, not rejected), so I put that as my last entry:
40 blackhole.foo.com
Any spamware searching from the end of the list will have to wait for the TCP timeout connecting to the non-existent server. (Slightly more clever spamware could deal with this as well, but I won't explain here where they're reading.)
