I get the impression that masking is considered some holy grail --
masking does fix a number of things, but it is still a long road ahead,
a road filled with providing education to those who might (or have) come
under attack as to what needs to change and why it's not SPF's fault
(but that still doesn't keep people from blaming SPF). Adding anything
new does not short circuit any of the work that needs to be done.
Masking is not a holy grail, but one small defense against the SPF-doom
virus. SPF record compilation is the big defense. Any SPF record that
will compile to less than 450 bytes, can provide a cachable SPF check in
one packet, and that's as good as it gets. For the small fraction of
records that need more than one DNS message packet, masks can reduce the
need to call for the additional packets. I don't see this as a big
benefit, but its no big cost either.
The cost may be potential errors by admins trying to create masks by hand,
and masking out a legitimate IP address. Maybe we should say masks are
allowed only in compiled records. That would keep people from even
starting down the wrong path. The right path, if your concern is
efficiency, is to compile your record, not mess around with more complex
SPF syntax.
-- Dave
************************************************************ *
* David MacQuigg, PhD email: david_macquigg(_at_)yahoo(_dot_)com * *
* IC Design Engineer phone: USA 520-721-4583 * * *
* Analog Design Methodologies * * *
* 9320 East Mikelyn Lane * * *
* VRS Consulting, P.C. Tucson, Arizona 85710 *
************************************************************ *