So, I've been thinking about use cases for having the same ADSP (or even
a future non-author domain signing policy) for an entire tree.
One could be a free-form environment like some educational institutions
or the old demon.net, where any host might start up a mail server at any
time without talking to the admins of the root domain. But since these
randomly initiated new servers might not be configured to sign with DKIM
correctly, the only possible record would be "unknown" -- which is, in
this case, functionally the same as having no record at all.
Another, probably more common, would be an ESP with new customers coming
online all the time -- company1.example.com, company2.example.com, and
so forth. Perhaps they've been able to get away using wildcards thus
far. But they'll already have a system somewhere which tracks which of
these deeper customer domains have been created, right? So they'll
simply need to have that system update the DNS records, too. This is
not a difficult problem -- I wrote a shell script to do it years ago,
and I'm a truly awful programmer. Besides, they were certain to run
into it eventually.
Or there will be paranoid admins who would want to state "we don't send
any mail at all from *, unless I state otherwise in a more-specific
record." In other words, they'd be trying to change the default state
from "unknown" to "discardable." Some of my personal domains would
benefit from this; they're the ones where I currently have "v=spf1 -all"
Did I miss any?
NOTE WELL: This list operates according to