Can I use both ip4 and ip6 in the same SPF record?

Yes, you can use both ip4 and ip6 mechanisms in the same SPF record. This is common when your email infrastructure uses both IPv4 and IPv6 addresses for sending mail.

What happens if I list an incorrect IP address in my SPF record?

If an incorrect IP address is listed, emails sent from that IP will likely fail SPF authentication. This can cause those emails to be rejected, marked as spam, or face delays, negatively impacting your email deliverability and potentially your sender reputation.

Is it better to use ip4/ip6 directly or an include mechanism?

It depends on the sending source. For IP addresses you directly control and that are unlikely to change, direct ip4/ip6 listing is effective. For third-party services, an include mechanism is generally better as they manage their own IP changes.

How does DMARC relate to ip4 and ip6 mechanisms?

DMARC leverages SPF (and DKIM) authentication results. If an email fails SPF authentication due to an unlisted IP address, DMARC will instruct receiving servers on how to handle the message (e.g., quarantine or reject) based on your DMARC policy . DMARC reports also provide visibility into these failures.

Are there limits to how many IP addresses I can list using ip4 and ip6?

While there isn't a strict numerical limit on IP addresses within ip4 and ip6 mechanisms, your SPF record must not exceed the DNS lookup limit of 10 . ip4 and ip6 mechanisms themselves do not count as DNS lookups, but other mechanisms like a , mx , ptr , and include do. A very long SPF record can also hit the 255-character limit for a single string.

What SPF mechanism specifies a list of IP addresses? - SPF - Email authentication - Knowledge base

An expert analyzes a network diagram with SPF and IP addresses.

When you send an email, the receiving server needs a way to verify that the message actually came from your domain and wasn't spoofed. This is where SPF, or Sender Policy Framework, comes into play. It's a fundamental email authentication standard that helps prevent unauthorized senders from using your domain, protecting your reputation and improving your email deliverability.

An SPF record, published in your domain's DNS, essentially lists all the servers that are authorized to send email on your behalf. These authorizations are specified through various mechanisms, which act as rules within the record. Among these mechanisms, some are specifically designed to identify and authorize email sending by listing IP addresses directly.

Understanding SPF and its mechanisms

An SPF record is a TXT record in your DNS that defines which mail servers are permitted to send email on behalf of your domain. It's like a guest list for your domain's email. If an email comes from a server not on the list, it raises a red flag, which can impact deliverability and lead to messages being marked as spam or rejected. The record is composed of a version number and various mechanisms, each serving a specific purpose in evaluating a sending IP address.

These mechanisms are the building blocks of an SPF record, acting as rules to evaluate the sender's IP address against the authorized list. When an email server receives a message, it checks the SPF record of the sending domain and goes through these mechanisms one by one until a match is found, or the end of the record is reached.

Different mechanisms allow for various authorization methods. For instance, some mechanisms refer to other domains' SPF records, while others explicitly list IP addresses or even check MX or A records. For directly specifying a list of IP addresses, there are two primary mechanisms dedicated to this task.

The ip4 and ip6 mechanisms

The SPF mechanisms specifically designed to specify a list of IP addresses are ip4 and ip6. The ip4 mechanism is used for IPv4 addresses, and the ip6 mechanism is for IPv6 addresses. These mechanisms explicitly authorize specific IP addresses or ranges to send mail for your domain. This direct approach offers precise control over which sending sources are approved.

Example SPF record using ip4 and ip6 mechanismsdns

v=spf1 ip4:192.0.2.1 ip4:198.51.100.0/24 ip6:2001:db8::1/64 -all

You can list individual IP addresses or use CIDR notation to specify entire blocks of IP addresses. For example, ip4:198.51.100.0/24 authorizes any IP address within that range. This is particularly useful when you have multiple servers or a large network sending email on your behalf.

Best practices for ip4 and ip6

Accuracy is key: Ensure all listed IP addresses are current and correct. Incorrect IPs can lead to legitimate emails failing SPF validation.
Minimalism: Only include IP addresses that genuinely send email for your domain. Overly broad ranges can weaken your SPF protection.
Updates: Regularly review your SPF record, especially if your email infrastructure changes. Stale records are a common source of deliverability issues.

Implementing IP address mechanisms

To effectively use ip4 and ip6 mechanisms, you'll need to add them to your domain's SPF record in your DNS settings. It's crucial to list all legitimate sending IP addresses, including those from your own mail servers, third-party email service providers (ESPs), and any other systems authorized to send on your behalf. Missing even one authorized IP can cause your emails to fail authentication, leading to deliverability problems.

Secure email flow with SPF and DMARC checks.

It's also important to be mindful of the 10-DNS-lookup limit for SPF records. Each include or A/MX mechanism often counts as one lookup. While ip4 and ip6 mechanisms do not count against this limit unless they are part of a larger, complex lookup chain, using SPF flattening can still be beneficial for overall record management, especially when dealing with many third-party services.

The choice between directly listing IP addresses and using include mechanisms often depends on your specific setup. Direct listing is great for static, dedicated IPs you control. For third-party services like Google Workspace, which may use dynamic IP ranges, an include mechanism pointing to their SPF record is usually the safer and more manageable option.

Direct IP listing

Control: You explicitly list every IP, giving you direct command over authorized senders. Ideal for your own server IPs.
Complexity: Requires manual updates if IPs change, which can be prone to human error.

Using include mechanisms

Delegation: You rely on the third-party service, like Google Workspace, to manage their SPF records.
Simplicity: Less maintenance for you, as their SPF changes are automatically reflected. However, it can increase DNS lookup count.

Monitoring SPF and DMARC for deliverability

Even with a perfectly configured SPF record using ip4 and ip6 mechanisms, constant vigilance is required. Email environments are dynamic, with IPs changing, new services being adopted, and threat actors constantly seeking vulnerabilities. Without proper monitoring, you might not even realize that your emails are failing SPF authentication, leading to significant deliverability issues.

This is where DMARC (Domain-based Message Authentication, Reporting, and Conformance) becomes indispensable. DMARC builds upon SPF and DKIM, providing instructions to receiving mail servers on how to handle emails that fail authentication, as well as providing valuable reporting on authentication results. If your SPF record is not correctly configured or maintained, DMARC will highlight these issues, allowing you to quickly identify and rectify problems.

To effectively manage this, a robust DMARC monitoring solution is essential. Suped offers a comprehensive platform that not only provides in-depth DMARC reports but also gives you AI-Powered Recommendations to fix issues and strengthen your policy. Our Real-Time Alerts, Unified Platform for SPF, DKIM, and DMARC, and built-in SPF Flattening simplify email security. For MSPs and agencies, our Multi-Tenancy Dashboard allows for seamless management of multiple domains. With our generous free plan, Suped makes DMARC accessible and actionable for everyone.

Securing your email with correct SPF configuration

Understanding and correctly implementing SPF ip4 and ip6 mechanisms is fundamental to strong email authentication. These mechanisms provide the direct control needed to specify which IP addresses are authorized to send email on behalf of your domain. By accurately listing these IPs, you significantly reduce the risk of email spoofing and enhance your domain's reputation.

However, SPF is just one part of the email security puzzle. For comprehensive protection and optimal deliverability, it needs to work in conjunction with DKIM and DMARC. Regularly reviewing and updating your SPF record, combined with continuous DMARC monitoring, ensures your email infrastructure remains secure and your messages consistently reach their intended inboxes.