Recently my webhost changed data center and the ip. In effect taking off my mail for five straight days! I looked around and decided to take up a fallback MX server with Zoho.
Most of the web apps that I have hosted rely on php mail to send out mail and that has nothing to do with my domain's MX setting. MX setting specifies which server can receive mail on behalf of a domain.
DMARC, SPF and DKIM decide who can send mail on behalf of my domain. I configured it in a way that both by webhost's SMTP server and PHP mail as well as Zoho can send mail out on behalf of my domain ekvastra.in and also configured MX server such that first my webhost mail server will get emails, if the server is down it will fallback and get delivered to my Zoho mail server.
I also discovered that there is a mail account for my login (not with my domain) with the webhost where they send mail rejection and such fyi mails, that I hadn't opened ever! I also noticed that if I try to configure my web apps to send mail via by webhost's SMTP server over SSL with remote hostname it also gets processed via SpamAssasin and gets discarded sometimes! But my apps send only harmless updates so I reverted it to use localhost and not subject itself to inspection by SpamAssasin.
All this was a hell of a learning! Who knew that mail receiving and sending are completely independent activity and governed by independent security policies with no relation to each other!
My webhost provides IMAP for mail access from third party apps but Zoho only allows web access through its website/app. My webhost also provides a webmail interface that runs on port 2096 (Webmail SSL) while the cPanel SSL runs on 2083.
During configuring and validating these things I also understood the MTA-STS specifications much better. Since I had set my specification to be cached for 28 days there was no way I could ask MTA-STS honoring (and caching) server like gmail to start sending to my Zoho MX server, which means I had to quickly get my first MX server up. This didn't matter with mail server that do not yet honor MTA-STS protocol. On finding this out I also updated my MTA-STS caching period to one day. So that in future I can change my MX server with one day lock-in. Mind you, this is not notice period but lock-in period, servers may not take note of your changes before the expiry of the lock-in period.