Yes, you absolutely can. An SPF record is designed to be flexible, allowing you to specify all your authorized mail servers in a single record, regardless of whether they use IPv4 or IPv6 addresses. It is standard practice to include both ip4 and ip6 mechanisms within the same SPF TXT record.
Sender Policy Framework (SPF) is a crucial email authentication standard that helps protect your domain from being used for phishing and spoofing. It works by creating a DNS record that lists which IP addresses are permitted to send email on behalf of your domain. The ip4 and ip6 mechanisms are the most direct way to do this, specifying exact IPv4 and IPv6 addresses.
If you use different services to send emails, and some use IPv4 while others use IPv6, you will need to list them all in your single SPF record to ensure legitimate emails are properly authenticated.
How to structure an SPF record with both IP versions
Combining ip4 and ip6 mechanisms is straightforward. You simply list them one after another, separated by spaces. All SPF mechanisms and modifiers are placed within a single string in your DNS TXT record.
Here is an example of a valid SPF record that authorizes one IPv4 address and one IPv6 address:
v=spf1 ip4:192.0.2.1 ip6:2001:db8::1 -all
Let's break this down:
- v=spf1: This is the version identifier and must be at the beginning of the record.
- ip4:192.0.2.1: This mechanism authorizes the specific IPv4 address 192.0.2.1 to send mail for the domain.
- ip6:2001:db8::1: This mechanism authorizes the IPv6 address 2001:db8::1.
- -all: This is a qualifier that tells receiving servers to reject (fail) any email from sources not listed in the record.
You can add multiple addresses of each type and also specify IP ranges using CIDR notation, for instance ip4:192.0.2.0/24. As noted by URIports, the maximum CIDR length for IPv4 is 32 and for IPv6 is 128.
Important considerations and best practices
While combining IP versions is simple, there are critical rules for SPF records that you must follow to ensure your email authentication works correctly.
- One record per domain: You must only have one SPF record for your domain. According to DMARCwise, having more than one will cause a permanent SPF failure. If you need to add a new sending service, you must modify your existing record, not add a new one.
- DNS lookup limit: A key advantage of using ip4 and ip6 is that they are direct and do not contribute to the 10 DNS lookup limit. Mechanisms like include, a, and mx each require a DNS lookup, and exceeding the limit will cause validation issues.
- Combine with other mechanisms: You can, and should, combine IP mechanisms with others like include for third-party services. For example, if you use Google Workspace and a server with a static IP, your record would look something like this: v=spf1 ip4:192.0.2.1 include:_spf.google.com -all.
In conclusion, using both ip4 and ip6 in your SPF record is a fundamental part of creating a complete and accurate email authentication policy. Just remember to keep all your rules in a single record and stay within the protocol's limits.
