Dear Ian,
Thanks for the tip! Unfortunately, there isn't a DNS problem, but there might have been a transient connectivity problem.
Regardless and with all due respect, deferring mail indefinitely because a sender contacts the published backup/secondary MX records for the domain rather than the primary, is really poor practice and certainly not in the spirit or best practices of the SMTP RFCs.
A customer with this setup gains little benefit from the published record, except in the rare instance that the primary is taken offline and the secondary is made aware of that change.
Consider this from off network (well outside of Symantec's cloistered, hallowed halls). I am in distant locale, many hops from either of two routes into Symantec's network intrastructure.
$ dig +short -t MX schneider-electric.com
10 cluster3.eu.messagelabs.com.
20 cluster3a.eu.messagelabs.com.
$ dig +short cluster3.eu.messagelabs.com
46.226.52.195
$ dig +short cluster3a.eu.messagelabs.com
85.158.139.103
Sender network/mail relay cannot reach 46.226.52.195 due to provider network not receiving prefix or perhaps blackhole mitigation. Sender mail relay has a route to 85.158.139.103 and makes an attempt to connect but upon deferral, queues that mail for redelivery at the next interval. For whatever reason, even over multiple attempts during the queue TTL, connectivity to the primary remains unavailable. So the queue TTL timer expires, and the mail is bounced to the sender, when by all reasoning, it should have been delivered.
What is the point of publishing a backup MX record, if not to accept mail for delivery?
I am well aware of the following document:
https://support.symantec.com/en_US/article.TECH247121.html
It does not excuse the bad behavior of backup mail exchangers which presume they have the foreknowledge that from anywhere on the Internet, the primary is reachable. It cannot be determined a priori by Symantec whether every other network attempting to access endpoints via published DNS records can actually access ALL of those endpoints!
The fact that the primary exchangers at Symantec are clusters running behind load balancers doesn't make the sitation any better. At any given moment, there can exist an outage over a given path to an endpoint. Having a backup enpoint DNS record published is supposed to be another way to mitigate the event! Instead, Symantec completely misses the boat and in effect publishes superfluous MX records which do as much harm as good.
Something for your engineering team and customers to consider. I would be hard pressed to ever decide on partnering with Symantec for email services based on this learning experience.
Best regards.