There's support for exclusive domain mapping enforcement in the trunk now. It'd be good if someone could try it out, because the unit tests I was able to come up with aren't all that close to a real-world environment.
Just set exclusive_domain=True in the BASE router (for all domains) or an app router (for that apps's domain). You'll get a SyntaxError exception if you call URL() to generate a URL for a different app unless you explicitly provide a host= argument to URL. Or at least that's the intention. BTW, WRT the issue of search engines being confused by multiple URLs pointing to the same pages, you might want to investigate Google's canonical-host logic. It may not be helpful, in that it might deal only with complete domain duplication (eg www.domain.com and domain.com) rather than overlapping subsets of domains; I'm not sure.
