I have spammers create a new domain with valid SPF and start spamming that day. they are very hard to find and block the same day.
SAN certs allowed you to use one cert for both internal and external services.
one cert registered to the Public and verifiable FQDN, with Alternate names in the cert something.local.
Internal CA's are very hard to deploy with BYOD these days.
(Bring Your Own Device)
Interesting timing ; not quite the same.
One is Defensive Planning; One is about New ways to use things.
US Government Announces National Day of Civic Hacking
Nature always sides with the hidden flaw.