[ I'm explaining, not arguing. ] The importance of question of what domains are valid for make became apparent during the endless discussions about DKIM SSP. (No, I'm not saying that SSP in anything like its current form is a good idea.)
In case anyone hadn't noticed, filtering spam by looking for the characteristics of bad messages is a losing battle. So the current work with DKIM et al is to make it easier to recognize messages from known good senders, thereby reducing both number of messages that need expensive filtering, and also allowing somewhat more aggressive filtering on what's left. One of the issues has to do with domains that have a lot of subdomains, some of which send mail and most of which don't. If, say, ibm.com goes to the effort of persuading everyone that they are well behaved, we can expect bad guys to try to piggyback onto their good reputation. A certain amount of mail comes from [EMAIL PROTECTED], but plenty comes from [EMAIL PROTECTED], [EMAIL PROTECTED], and a variety of other subdomains. We expect that IBM will start signing their mail, so at some point receivers can assume that mail that purports to be from ibm.com or us.ibm.com that doesn't have a signature is likely to be bogus. (This is what SSP tries to do.) But what about mail from [EMAIL PROTECTED] or [EMAIL PROTECTED], or any of a zillion other hosts that have A records and presumably someday will have AAAA records? It would be really nice if IBM could say forget it, not from us, for all of their non-mail domains. Even if we get MX 0 . on standards track, it will be rather cumbersome, since it would roughly double the size of every non-trivial DNS zone with an MX 0 . for nearly every A or AAAA record. For reasons I presume all of us know, DNS wildcards don't help, and the various tree climbing and zone cut kludges aren't workable. So if you agree that it is likely to be useful to identify mail from real senders, by far the simplest way to do that would be to require an MX for the real senders' domains. R's, John
