Meng Weng Wong writes, about "what if there were no TXT":
I'm guessing an SRV lookup against DOMAIN.COM with a
reserved port number would return a domain name, something like
MARID-RECORD.DOMAIN.COM, and then something like
I'm pretty sure we'd be doing a SRV lookup for _marid._udp.<domain> and
then asking that server whether to fail/pass/... the message.
The entire SPF/CID/XML thing would never be published - the policy would
be executed by the same entity that chose the policy. Only the IP
address, email address and pass/fail/... result would cross the net.
Arnt