SPF glossary

What does ip4 mean in an SPF record?

Samuel Chenard

By Samuel Chenard · CEO & Co-Founder, Palisade · Reviewed July 15, 2026

ip4: authorizes a literal IPv4 address or CIDR range to send mail for your domain — ip4:192.0.2.10 for one server, ip4:192.0.2.0/24 for a block. It costs zero DNS lookups, making it the cheapest and fastest SPF mechanism. The trade-off: you maintain the list by hand when addresses change.

ip4: at a glance
Tagip4 (mechanism)
Valid valuesip4:<IPv4 address> or ip4:<network>/<prefix>, e.g. ip4:192.0.2.0/24
DefaultA bare address with no prefix length matches that single IP (/32).
Where it goesBetween v=spf1 and the final all; costs nothing, so order barely matters.

How ip4: works

ip4: is SPF at its most direct: the authorized addresses are written straight into the record, so the receiver needs no extra DNS queries to evaluate them. A single server is ip4:192.0.2.10; a network is CIDR notation like ip4:192.0.2.0/24.

Because it costs zero of the 10 DNS lookups, ip4: is the mechanism of choice for your own fixed infrastructure — the on-prem mail server, the relay with a static address. When records bump against the lookup limit, converting stable hosts from a/mx/include to ip4: is the standard remedy.

The trade-off is maintenance. Nothing updates an ip4: term but you: when a server moves, the record is wrong until someone edits it. Stale entries cut both ways — a missing new IP fails your own mail, and an old IP you've released may now belong to someone else who can pass your SPF.

Correct record vs common mistake

Correct

v=spf1 ip4:192.0.2.10 ip4:198.51.100.0/24 include:_spf.google.com -all

Fixed servers listed for free (zero lookups), third-party senders via include.

Common mistake

v=spf1 ip4:192.0.2.0/8 -all

A /8 covers 16.7 million addresses — almost certainly including servers you don't control. Scope CIDR ranges to exactly what you own.

Generate your SPF record

Build a correct SPF record for your domain — add your senders, copy the TXT record. Free, no signup.

Who sends email for this domain?

Each service adds its documented include mechanism.

From your provider's docs, e.g. spf.example-esp.com — commas or spaces between multiple. Some services (Klaviyo, HubSpot, Mailchimp Transactional) authenticate through their own CNAME records instead of a shared include — check their DNS settings page.

How should receivers treat everyone else?

Your SPF record

0/10 DNS lookups

Publish as a TXT record at the domain root. One SPF record per domain — if one exists, merge into it instead of adding another.

Host / Name

yourdomain.com (or @)

Value (TXT)

v=spf1 ~all

Record type: TXT · ip4/ip6 mechanisms don't count against the 10-lookup limit.

Nothing is authorized yet — this record would tell receivers that no server may send for your domain. Select your email providers above (or tick the parked-domain option if that's intended).

After you publish

  1. Add the TXT record at your DNS host.
  2. Verify it with the free SPF checker.
  3. SPF alone doesn't stop spoofing — pair it with DKIM and a DMARC policy. Generate one with the DMARC record generator.

Troubleshooting ip4:

IssueLikely causeFix
Mail failing after a server migrationThe new server's IP was never added; the record still lists only the old oneAdd the new ip4 before cutover and remove the old one after — make SPF part of the migration checklist
Old ip4 entries nobody recognizesYears of accretion — servers decommissioned without record cleanupAudit against current infrastructure and remove them; a released IP may now belong to someone else
Sending IPs keep changing (cloud, autoscaling)ip4 suits fixed addresses, not dynamic poolsSend through a relay with a stable IP, or use the provider's include — they maintain the ranges

See this on your own domain

Enter your domain — the check runs instantly on the next page. Free, no signup.

Why it matters for MSPs

Manual IP lists rot, and clients change hosting without telling you. Across 150 tenants, stale ip4: terms are the top reason a migration “finishes” and mail breaks three weeks later — or worse, a released cloud IP gets recycled to a stranger who can now pass SPF for your client. Fleet-wide, hand-maintained address lists need an owner and a review cadence.

Trusted by MSPs

Palisade allowed our team to deploy DMARC on our domains in minutes instead of hours and making sure our clients are compliant with cutting edge security recommendations from Microsoft.
Alvin KalliAlvin Kalli CSIO, MSP Corp
Partner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner Logo

Enforce it — don't just monitor it

When a client's infrastructure changes, the first honest signal is a failing source in the DMARC reports. Palisade reads them for every client domain and keeps legitimate senders aligned as things move — so hand-listed IPs don't silently drift out of date on the road to `p=reject`.

Free 15-day trial · No credit card · Your own domain free forever (NFR)

Frequently asked questions

The public IP your outbound mail actually leaves from — not your website's address. Check a received header on a real message, or ask whoever runs the sending server.

No. ip4 and ip6 are evaluated without any DNS query, so they're free. That's exactly why they're the fix when a record has too many lookups.

Yes — CIDR notation: ip4:192.0.2.0/24 authorizes all 256 addresses in that block. Keep ranges as tight as what you genuinely control.

ip4 for your own fixed infrastructure; include for third parties like Google or your ESP, whose ranges rotate and who maintain their own SPF record so you don't have to.

Related terms

What is SPF? Sender Policy Framework explained