Traditional remote domain verification involves checking that
the domain
stated in an email address has a valid MX or A record published in the
DNS. This implies that a spammer could send email "from" any
old machine
with an A record and expect it to be accepted. Sender-ID does
not solve
this problem unless you publish a -all record for EVERY HOST on your
network, since in the absence of a Sender-ID record the recipient will
fall back to the current behaviour.
This is where the automated tools come in. Something to inspect the zone and
then push records through ddns for every node that doesn't already have a
MARID-style record.[1]
This is a flaw with every proposal that uses DNS, but it is not an
insurmountable one. Not to mention that the wildcard issues were beaten to a
greasy spot on the floor, never mind beaten to death.
[1] Someone again said this was inexcusable but I never received an
explanation as to why. Any takers?
--
PGP key (0x0AFA039E):
<http://www.pan-am.ca/consulting(_at_)pan-am(_dot_)ca(_dot_)asc>
Sometimes it's hard to tell where the game ends and where reality bites,
er, begins. <http://vmyths.com/resource.cfm?id=50&page=1>