I know I've read somewhere how the authentication records work, but I can't seem to find it again today.
I currently see network traffic for multiple authentication records being used. It makes sense when you have a set up like:
That for asset z.x.y.w bound to default-domain.com would try each of those credentials had one of them failed, but I don't understand why it would try firstname.lastname@example.org ?
These IPs are specifically called out in auth records while a separate domain auth records are also somehow getting used. Can anyone explain how this works??