Can an SPF record use both 'ip4' and 'ip6' mechanisms?
Matthew Whittaker
Co-founder & CTO, Suped
Published 2 Sep 2025
Updated 6 Nov 2025
6 min read
When setting up email authentication, particularly with Sender Policy Framework (SPF), a common question arises regarding the inclusion of both IPv4 and IPv6 addresses. As the internet continues its transition to IPv6, ensuring your SPF record adequately covers all your sending IP addresses, regardless of their version, is crucial for email deliverability.
The straightforward answer is yes, an SPF record can and often should use both the ip4 and ip6 mechanisms. Properly configuring these mechanisms ensures that emails sent from both IPv4 and IPv6 addresses are authorized, helping to prevent them from being marked as spam or rejected by recipient mail servers.
The key is to include all authorized IP addresses within a single SPF TXT record for your domain. Multiple SPF records are not permitted and can lead to validation failures, which is why merging all necessary mechanisms, including ip4 and ip6, into one record is essential.
How to combine 'ip4' and 'ip6' mechanisms
How to combine 'ip4' and 'ip6' mechanisms
The SPF specification allows for multiple ip4 and ip6 mechanisms within a single SPF record. This is a common requirement for organizations that send emails from various servers or third-party services, some of which might use IPv4 addresses and others IPv6. It's crucial to remember that a domain should only have one SPF TXT record in its DNS. If you have separate records for IPv4 and IPv6, they must be merged.
The ip4 and ip6 mechanisms allow you to specify individual IP addresses or IP ranges using CIDR notation. This flexibility is powerful for accurately defining your authorized sending sources. When you list multiple IP addresses or ranges, each ip4 or ip6 entry is evaluated sequentially. For a more detailed understanding of how IP addresses are specified, refer to our guide on what SPF mechanism allows for IP addresses.
SPF lookup limit considerations
Be mindful of the SPF DNS lookup limit. Each include, a, mx, ptr, and exists mechanism counts as one DNS lookup. If your SPF record exceeds 10 lookups, it will result in a PermError, causing legitimate emails to fail SPF authentication. Directly listing ip4 and ip6 mechanisms does not count against this limit, making them a good choice for direct IP authorization.
Why combining IP mechanisms is vital for deliverability
Why combining IP mechanisms is vital for deliverability
The internet's ongoing shift towards IPv6 means that many email sending services, especially cloud-based ones, are increasingly utilizing IPv6 addresses. If your SPF record only includes ip4 mechanisms, emails sent from an IPv6 address, even if legitimate, will fail SPF authentication. This can lead to significant deliverability issues, with emails being delayed, quarantined, or outright rejected by recipient mail servers.
Properly configured SPF records that account for both IPv4 and IPv6 sending sources are a cornerstone of good email deliverability. They signal to recipient servers that your emails are authentic, reducing the likelihood of them being mistaken for spam or phishing attempts. This comprehensive approach is part of a best practice for using IP addresses in SPF records.
By ensuring your SPF record covers all IP versions, you strengthen your overall email authentication posture. This aligns with other critical email security protocols like DKIM and DMARC, working together to verify sender identity and protect your domain's reputation. A robust SPF record is a foundational element in a simple guide to DMARC, SPF, and DKIM.
Using an outdated SPF record
Limited Coverage: Only authorizes IPv4 sending sources, ignoring IPv6. Modern email providers use IPv6 more and more.
Deliverability Risk: Emails from legitimate IPv6 servers fail SPF checks, increasing the chance of being flagged as spam.
Reputation Impact: Inconsistent authentication can negatively affect your domain's sending reputation.
Using a comprehensive SPF record
Full Authorization: Covers both IPv4 and IPv6 sources, ensuring all legitimate emails pass SPF validation.
Improved Deliverability: Reduces spam flagging and improves inbox placement for all emails.
Stronger Reputation: Consistently authenticating all emails builds trust with recipient servers and enhances brand image.
Best practices for a robust SPF record
Best practices for a robust SPF record
While ip4 and ip6 mechanisms don't count towards the 10 DNS lookup limit, you still need to be strategic. Listing every individual IP address can make your SPF record unwieldy and difficult to manage. Whenever possible, use CIDR notation to define IP ranges, which simplifies the record and reduces its length. This is particularly important when dealing with SPF mechanisms that specify a list of IP addresses.
Another common pitfall is having multiple 'v=spf1' declarations. A domain can only have one SPF record. If you have multiple services, consolidate their IP addresses and include mechanisms into a single, comprehensive record. Regularly review your SPF record to ensure it reflects your current sending infrastructure and remains compliant with the 10-lookup limit for DNS-based mechanisms. You can read more about the SPF lookup limit explained for more details.
For ongoing management and optimization, a DMARC monitoring solution can be invaluable. Tools like Suped provide a unified platform to monitor SPF, DKIM, and DMARC, offering AI-powered recommendations to fix issues and strengthen your policy. This includes identifying SPF failures related to IP addresses and assisting with SPF flattening to stay within the lookup limits, ensuring your emails are always authenticated correctly.
Ensuring comprehensive email authentication
Ensuring comprehensive email authentication
In summary, an SPF record not only can but should utilize both ip4 and ip6 mechanisms to authorize all legitimate email sending sources. This forward-thinking approach is critical for maintaining high email deliverability rates in an evolving internet landscape. Ignoring IPv6 can lead to unnecessary email delivery failures and a damaged sender reputation.
Regular monitoring and proactive maintenance of your SPF record are essential, especially as your sending infrastructure changes or you adopt new third-party email services. Always consolidate all authorized IP addresses and domains into a single SPF record to avoid configuration errors that can negatively impact your email program.
A robust DMARC monitoring solution, like the one offered by Suped, can provide real-time alerts and actionable recommendations to ensure your SPF, DKIM, and DMARC policies are always optimized. Their generous free plan and unified platform make DMARC accessible and manageable for any organization.
Implementing a comprehensive SPF strategy with both IPv4 and IPv6 mechanisms is a fundamental step toward achieving stronger email security and maximizing your deliverability.
