Forgive me for jumping in late, here, but I have some comments about
this thread.
A mech that uses both the %{i} and the %{l} or %{s} mechanisms (like
altavista.com -
+exists:CL.%{i}.FR.%{s}.HE.%{h}.null.spf.altavista.com)
will cost a full 50*50*200 queries to the internet. Pray that the
zombies don't
forge altavista, or you'll get aquainted with the wrath of SPF.
In this case, won't altavista's DNS servers also be swamped by requests
and therefore they must be aware of the cost of their SPF configuration
as well? What I'm basically getting at is that both sides are impacted
by the 'cost' of an SPF record and if someone chooses to have a costly
DNS record, then it is their choice. Heck, why don't change the
convention so that URL's and email addresses use IP's, too, and get rid
of DNS altogether! I know I'm being extreme there, but allow me to
continue.
Basically, as I see it this debate pitts simplicity and readability on
one side with 'efficiency' on the other. The costs of bandwith and
processing are getting ever-cheaper while I believe that SPF will not
achieve mass-adoption without simplicity. And readability is a great
contributor to simplicity, in my opinion. SPF has enough trouble
achieving mass adoption--don't add this to the pile.
As I've said before: This list is heavily skewed toward the
email-receiving side (as opposed to people like me who just don't want
our domains to be forged). The more difficult we make this to
administer, the easier it will be for people to make mistakes, leading
to valid emails being dropped. For the many business that have a
part-timer or outsourced support for IT infrastructure such as this,
that person will drop SPF and just go back to having nothing. And there
are a lot of businesses that operate in this way.
Marc Alaia