Alex van den Bogaerdt wrote:
Currently you publish about 11 subnets (I didn't count carefully,
it may be 10 or 12) and we (our software) have to find out if an
ip address is a member of these subnets.
What I propose is that you replace this with a mechanism where
we would give the ip address to you, then you look it up and
respond match or non_match. This does not imply that you need
to change your policy.
What is being implemented now (after yesterday's change, which has
already propagated to some places) is far more resource efficient than
what you are proposing.
The list of IP blocks is fetched within the same query that gets the SPF
record. It's a query that is done no matter what. So to maximixe it's
value, it is correct to fill it with as much information as possible. If
an exists: mechanism was pointed to, a second query would be required,
whereas in the current implementation it is not necessary.
On top of this, the current record can be cached by a local DNS server,
whereas the exists: query cannot be cached. This is because forged
@rr.com email comes from potentially all 4 billion IP addresses in the
world, and you'd have to do a query for each one individually.
So yes, you could save a few bytes in the SPF record, but it would cost
4 billion queries, plus the storage required to cache each one of those
queries. I don't know about you, but I get forged rr.com email all the time.
Radu.