On the MS record issue: would it be more workable to add a record
with some sort of authentication information, and have the receiving SMTP
server force the sending side to authenticate itself if such a record
existed? It seems to me this would solve the concerns about limiting
sender IPs and changing hostnames without introducing any new problems. (I
think there's something else--DNSSEC?--that uses a similar system, but it's
4am and I can't bring it to mind at the moment.)
--Andrew Church
achurch(_at_)achurch(_dot_)org
http://achurch.org/