On Wed, May 04, 2005 at 06:20:43PM -0700, David MacQuigg wrote:
3) We will dig ourselves deeper into this hole if we encourage the use of
wildcards. It seems to me that wildcards aren't really necessary with
email authentication, or even desirable. If some subdomain of
mydomain.com wants to run its own public mail servers, they should create
their own DNS records specifically authorizing those servers.
The problem is not (to be) authorized hosts. The problem is in
hosts that are not. Every domain with an A record can be used
in email, unless there is an SPF record saying "no".
Currently, not only a record for "domain.org" needs to be specified,
but also one for "www.domain.org", "ftp.domain.org", "mail.domain.org",
"customer.domain.org" and so on. And it doesn't end here. Also needed
are records for "www.eu.domain.org", "www.us.domain.org",
"ftp.emea.domain.org" and so on...
A wildcard "*.domain.org" _is_ useful. "*.*.domain.org" would also
be useful, would it work.
This is why the zone cut lookup would be useful. It would act as a
zone wide wildcard.
Alternatively, SPF could become non-optional. Either you do have an
SPF record that allows your host to send mail, or you don't send mail.
Alex