Douglas Otis wrote:
Promotion of SPF effectively thwarts any consideration of alternatives
on spf- discuss.
You'll tell us when you've found a better way to partition all IPs into
three sets PASS, FAIL, or DUNNO (with as many variants of DUNNO as you
need).
45 pages in the addendum trace SPF resolving a single name at
about 64:1 increase in traffic.
Nice to see that you agree that your data doesn't back up your
claims, but even your 64:1 number is bogus.
How so?
Because 100/11 is a bit more than 9, and 100/12 is a bit less than 9.
a gift given an attacker by those executing SPF script.
The stuff is called "SPF policy" or "SPF record", not "SPF script".
It's a simple sequence of mechanisms telling receivers to which of
the three sets PASS, FAIL, or DUNNO a given IP belongs.
Three of the mechanisms (ip4, ip6, all) need zero DNS queries.
Two of the mechanisms (a, exists) need one additional DNS query.
One mechanism (include) needs two DNS queries (TXT + SPF).
One modifier (redirect=) behaves like include wrt DNS queries.
One mechanism (ptr) needs up to 10 DNS queries per connecting IP,
no matter how often it's used in various SPF policies evaluated
during that SMTP session.
One mechanism (mx) needs up to 10 queries. There can be at most
10 mechanisms causing any additional DNS query at all per policy.
10+1 is 11, 10+2 is 12, 10*10 is 100, and 100/11 is about 9, not
64, 1000, or other random numbers you care to name.
Frank