Douglas Otis writes:
I doubt that such a mechanism would be able to block mail. The best
that could be expected would be to mark mail. (The open list issue.)
Same as for SPF/CID, as far as I can tell. It all depends on which
domain you choose to look up. The "_whatever." prefix doesn't matter,
and neither does whether you interpret the resulting RRset yourself or
perform an RPC.
The next problem would be DoS. Can this be done using UDP?
Sure. You can DoS name servers easily, and you can DoS other UDP-using
servers in exactly the same way(s).
As this gets implemented, will these systems see mail rejected because
their service approval service fails?
They might, but since DNS is subject to the same attack, it should be no
more and no less susceptible than SPF/CID.
(DNS caches, but that doesn't mean anything for a DoS attack. The
attacker will not want to cache.)