Time-limited address validity Can't be less than a week (ish) maximum delay before a bounce Can be achieved by key rollover or a timestamp in the address or a mixture of the two What frequency of re-keying? What quality of key randomness? Cross-cluster synchronized re-keying?