So if you have a sender policy for *.example.org now and it
covers foo.example.org, then it would automatically cover
_marid.foo.example.org
That's quite true, but that loses the benefit of segregating the MARID
records in _marid. Say you have three services, _marid, _able, and
_baker, each of which has its own TXT record. In the absence of
wildcards, you'd put one record each under _marid.foo.example.com,
_able.foo,example.com, and _baker.foo.example.com.
If you have wildcard subdomains, you'd like to put one record each at
_marid.*.example.com, _able.*,example.com, and _baker.*.example.com,
but you can't, since DNS wildcards don't work that way. So what you
have to do is to put all three records at *.example.com so that
applications using any of the services get all three records and throw
away the ones they don't want. The problem is that the DNS packet
includes all three records so its size is the sum of all the records.
If the records get big, blammo. This is specifically an issue if there
are two versions of SPF records.
--
John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 330 5711
johnl(_at_)iecc(_dot_)com, Mayor, http://johnlevine.com,
Member, Provisional board, Coalition Against Unsolicited Commercial E-mail