In this thread, Rand points out that complicated domains may wish to
publish both SPF1 and SPF2 records, and that this effectively cuts their
maximum record size in half (if they want to fit into a DNS UDP packet,
which they do). He also points out than these are exactly the domains
that may be pushing the DNS UDP size limits.
While this is an issue, there's a trivially easy workaround: For your
domain, publish very short SPF1 and SPF2 records, that just contain
"REDIRECT=subdomain". If your SPF1 and SPF2 data are identical, they
can both refer to the same subdomain; if your SPF1 and SPF2 data differ,
they can refer to different subdomains.
Problem solved.
But wait, I hear critics cry: Doesn't that double the number of lookups
someone has to do?
Yes, it does. But the large, complicated domains that have this issue
are almost exactly the ones that send lots of legitimate mail. As such,
their records will usually already be in your resolver's DNS cache.
(Said differently, it doesn't matter how complicated AOL's records are,
because your DNS cache will only fetch them once a week.)
-- Jim Lyon