So attacker now gets smarter and sends as
foo(_at_)a(_dot_)b(_dot_)c(_dot_)d(_dot_)example(_dot_)com(_dot_)
Is there a policy record there? No. Can I populate every possible
subdomain there? Not with DNS wildcards, therefore no. Uh-oh.
We ran into just this problem while defining CSV, the "like wildcards
except that we use prefixes" problem. Having gone around this a lot
of times, I think I can say with confidence that there are a lot of
hacks, some rather clever, but there is no good solution.
The suggestion that SSP would fail if a domain doesn't have at least
one of MX, A, or AAAA (perhaps with intervening CNAMEs) is intriguing,
but it would have the effect of adding the same condition to RFC 821
or 2821 since SSP users would thereby decree such mail to be
undeliverable.. I entirely agree that it is unlikely that one will
get legit mail from an address without enough DNS to write back, but
this is severe standards mission creep.
R's,
John
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html