Your domain is verified by each service provider using the protocol, so it's not really possible for a service you're not using to consider the domain verified already.
Of course, it is possible for an attacker to try to verify your domain name with a new service provider by entering your email on user signup / domain verification and claiming to be you. This would as you say prompt the service provider to send a verification email, but that's what would happen today anyway if an attacker attempted to sign you up to a new service.
> What you are proposing provides DNS based authentication, but not necessarily authorization in contrast to current systems.
Could you elaborate here for me?
> In your system the auth relies on the operator of the email address or phone number.
In the case where a domain already has a Domain Verification record, then that's correct. In the case where a Domain Verification record does not already exist then it relies on someone with access to DNS.
> In situations where you have a NOC or other tier 1 team that normally wouldn’t have access to create TXT records this presents a security hole.
Sorry, I'm sure I'm being dense but could you provide an example of the sort of security hole you're seeing here.
