Jim,
I'm not sure I fully understand the threat. If an attacker is attacking
from mail.example.com, then mail.example.com must have been delegated to
first in example.com. Otherwise, there would be no lookup for an SSP
record in mail.example.com, right?
I had thought the concern was the wildcard concern about how much trust
is afforded between superior and inferior domains. In that case, I
answer, "you pays your money you takes your chances". Don't like a
particular superior? Find another. If you can't for policy reasons,
then that's not a technical problem.
What do I have wrong?
Eliot
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html