No you don't need to have recursion on for authoritative DNS servers. Depending on who you ask it's even considered good practice that (if possible) your authoritative server not be recursive as it's a line of defence against some DoS attacks. (Cisco's document is here for example)
A sample from my domain is below (Server is running Bind 9 and is non-recursive).
; <<>> DiG 9.5.1-P3 <<>> mail.<snip> @<my authoritative master>
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1216
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 4, ADDITIONAL: 4
;; QUESTION SECTION:
;mail.<snip>. IN A
;; ANSWER SECTION:
mail.<snip>. 86400 IN CNAME ghs.google.com.
ghs.google.com. 158151 IN CNAME ghs.l.google.com.
ghs.l.google.com. 33 IN A 74.125.47.121
;; AUTHORITY SECTION:
google.com. 153556 IN NS ns4.google.com.
google.com. 153556 IN NS ns2.google.com.
google.com. 153556 IN NS ns3.google.com.
google.com. 153556 IN NS ns1.google.com.
;; ADDITIONAL SECTION:
ns1.google.com. 169823 IN A 216.239.32.10
ns2.google.com. 169823 IN A 216.239.34.10
ns3.google.com. 169823 IN A 216.239.36.10
ns4.google.com. 169823 IN A 216.239.38.10
It sounds more like a DNS misconfiguration at the Windows 2003 DNS than anything else.
Your zone looks good as it is presented here.
The answer to your immediate question is yes, you need a MX record.
An MX record (literally, Mail eXchange) is a record that tells the rest of the internet which systems are willing to deal with mail destined for that domain.
For your zone, your MX record is:
@ --> mx.askerov.net (priority 30)
This means that the computer(s), mx.askerov.net, is(are) allegedly willing to deal with mail destined for your domain. Without this record, the internet at large will not know where to send askerov.net messages.
You then have to have the record(s) for mx.askerov.net to be defined, and the machines sitting on those addresses are presumably the mydomain.com systems that do the email forwarding.
Note that depending on what your MX record is pointing at, you might not need A records for the MX system you are using. For example, if you instead had your mx record pointing somewhere else, say
@ --> mx1.someplaceelse.local
...then you would not need the A record for mx1.someplaceelse.local -- it would be the responsibility of the domain managers of someplaceelse.local to publish the A record for mx1.
The answer to your real question, why are messages bouncing, depends on what the bounce message says.
Best Answer
The naked domain cname problem is common. The dns specs do not allow you to redirect a naked domain. Because of this, many dns providers do not allow you to use a cname for @. Your dns providers way of making @ records use a CNAME must be interfering with other records.
Your workaround is as follows:
Google runs servers that do nothing but redirect naked domains to other domains (ie yourdomain.com to www.yourdomain.com) In your Google Apps control panel, go to Domain Settings -> Domain Name, and follow the instructions to redirect your naked domain to www.yourdomain.com. In your dns settings, have them keep your www record, but change the @ CNAME record to an A record: give them the ip addresses provided to you by Google in their instructions. Have them add Google's MX records and you're set.