hadn't been getting emails from ns003 since tweaking my SPF configuration a few weeks ago. dig ns003.unternet.net txt didn't return anything; a wildcard entry apparently doesn't work when there's an A (or probably any other) record already matching the exact name. so instead of adding more records to the zone file, I just changed /etc/hostname, /etc/mailname, and got rid of ns003 in /etc/hosts and /etc/exim4/update-exim4.conf.conf as well. restarted exim4 and finally could email out again. wonder if this will have unintended side effects... probably.

