That's exactly how it works, although you don't need an external backup modern email servers will retry for many days before returning a undeliverable notification if a valid MX record exists. With email receiving and delivering email are two separate tasks that don't need to be done by the same service.
For example I use Amazons SES. They have SMTP credentials you plug into your server and you add the DKIM and SPF txt entries to your DNS. The only thing that points to your own server is the MX record. Gmail will re-write emails to be FROM gmail while others may allow you to do similar to SES.
You don't actually need a valid cert or IPv6 to receive email, everyone only cares about the sending side of things.
Amazon will want to know what automated systems you have to deal with bounces and complaints to protect their service but that's about it
Yup bounce emails are routed just like any other email so they go through the relay. This is actually one of the gotcha's when using fetchmail, you can accidentally send out a lot of unintentional bounce emails from an invalid server if you are not careful.
For example I use Amazons SES. They have SMTP credentials you plug into your server and you add the DKIM and SPF txt entries to your DNS. The only thing that points to your own server is the MX record. Gmail will re-write emails to be FROM gmail while others may allow you to do similar to SES.
You don't actually need a valid cert or IPv6 to receive email, everyone only cares about the sending side of things.
Amazon will want to know what automated systems you have to deal with bounces and complaints to protect their service but that's about it