Having debugged this issue I can confirm that the use of a:domain/cidr is broken , at least when used in an spf1 record, for example:

v=spf1 a:widget.com/24 -all

I have raised a bug that includes a provisional fix.

Cheers
Steve