On Thu, 19 Dec 2019 18:01:37 +0200 Henrik K wrote: > But if one wanted to check the forwarders after hermes.apache.org > properly, it would make more sense to add it in internal_networks, > since practicall it acts as the outer MX for you. That would enable > proper blacklist checks too.
Mostly that's the best thing to do, but there can be cases where it's not possible to distinguish between an MX handover and submission into the third-party network. In that case it may be better to avoid the risk of running last-external checks on mail clients.