Roger Moser:
Of course if you have "exists:%{l}.spf.example.com" in your
SPF record, then
(1) you must prevent that everyone can read the names of the
subdomains from your name server (that means you must disable
zone transfers) and
(2) you must be prepared for a dictionary attack.
Otherwise don't use "exists:%{l}.spf.example.com".
What do you mean by dictionary attack for "exists:%{l}.spf.example.com" ??
Are willing to allow some users to send emails from any IP ?
This is non-sense - you must use "exists:" to configure SPF on per-user basis,
not bypass.
If you wish to allow select users to bypass SPF - impose some limit on this.
Create dynamic %{ir}.%{l}.spf.example.com and track IPs used while sending
emails from that user.
Block IPs blacklisted in some reputation services, block high volume queries
(but allow user to white-list IPs or ranges in some
web-interface).
I agree with you that bypassing SPF using "exists:%{l}.spf.example.com" is
clearly a misconfiguration !
--
Andriy G. Tereshchenko
Odessa, Ukraine