I don't see how I would end up in a situation where I attach a wildcard to a
policy that says all mail is signed. Since NOMAIL is out of scope it is
entirely acceptable to present the following options:
1) You can deploy DKIM policy for specific domain records using your existing
DNS server.
2) To deploy a wildcard policy you will need to upgrade your server if it does
not support new RRs
Hence my belief that gating wildcards on a new RR is acceptable while gating
policy itself is not.
+1
Regards,
Damon Sauer
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html