SPF Basics

SPF ip4 and ip6 Mechanisms

SPF ip4 and ip6 mechanisms authorize explicit IPv4 and IPv6 addresses or CIDR ranges without additional DNS lookups.

Intermediate · 6 min read · Reviewed Jul 4, 2026

Quick answer

SPF ip4 and ip6 mechanisms authorize explicit IPv4 and IPv6 addresses or CIDR ranges in the policy itself. Unlike include or mx, they do not trigger extra DNS lookups beyond the initial TXT query. They are ideal for on-premise servers with stable IPs but require maintenance when providers change ranges unless those ranges are referenced via includes instead.

Beginner explanation

Not every authorized sender needs an include. If you operate a fixed SMTP server with a known public IP, you can authorize it directly with ip4 or ip6 mechanisms.

Direct IP authorization is fast for receivers because no further DNS queries are required to learn the allowed addresses. That makes ip mechanisms attractive for hybrid mail gateways and dedicated appliances.

The tradeoff is maintenance. When IPs change, you must update DNS. Includes delegate that maintenance to the provider.

Technical explanation

Syntax examples include ip4:203.0.113.10 and ip4:203.0.113.0/24 for IPv4, and ip6:2001:db8::1 or ip6:2001:db8::/32 for IPv6. Qualifiers prefix mechanisms: +ip4 is pass, -ip4 is fail, ~ip4 is softfail, ?ip4 is neutral.

Receivers compare the connecting client IP against each ip mechanism in order until a match occurs. CIDR notation allows compact authorization of subnets used by on-premise clusters or VPN egress pools.

IPv6 support is mandatory for modern dual-stack environments. Omitting ip6 while IPv6-enabled senders exist causes authentication failures when those senders connect over IPv6 paths.

Business impact

Correct ip mechanisms stabilize authentication for fixed infrastructure such as ERP or ticketing relays. Incorrect ranges either block legitimate mail or over-authorize broad networks, increasing spoofing risk.

During migrations, failure to remove legacy ip entries leaves dormant authorization that complicates audits and wastes TXT record space.

Common mistakes

- Authorizing outdated office IPs after migrating to cloud-only mail
- Using incorrect CIDR boundaries that accidentally authorize too much address space
- Forgetting ip6 mechanisms when enabling IPv6 on edge mail relays

How SPF Manager helps

SPF Manager lists all ip4 and ip6 mechanisms, highlights overly broad CIDRs, and compares them against recently observed sending IPs. It shows lookup savings from using ip mechanisms instead of includes where appropriate.

Cleanup suggestions help remove stale office IPs after cloud migration projects.

Recommended next step

See how this applies to your domain before you change DNS.

Analyze my domain

Related articles

SPF Basics

What is an SPF Record?

An SPF record is a DNS TXT entry that lists which mail servers are allowed to send email on behalf of your domain.

Beginner 6 min read

Best Practices

SPF Flattening Explained

SPF flattening replaces nested includes with explicit IP mechanisms to reduce DNS lookups and avoid the ten-lookup limit.

Advanced 8 min read

SPF Basics

SPF Include Mechanism

The SPF include mechanism authorizes another domain's SPF policy as part of your own, enabling third-party senders without listing every IP.

Beginner 5 min read

Best Practices

SPF Record Validation

SPF record validation checks syntax, duplicate policies, lookup limits, and real-world resolution before you rely on a record in production.

Beginner 6 min read