SPF glossary

What does ip6 mean in an SPF record?

Samuel Chenard

By Samuel Chenard · CEO & Co-Founder, Palisade · Reviewed July 15, 2026

ip6: authorizes a literal IPv6 address or CIDR range — ip6:2001:db8::1 for one host, ip6:2001:db8::/32 for a block — exactly like ip4: does for IPv4, and it also costs zero DNS lookups. It matters more every year: receivers like Gmail treat IPv6 mail more strictly, so v6 paths need explicit authorization.

ip6: at a glance
Tagip6 (mechanism)
Valid valuesip6:<IPv6 address> or ip6:<network>/<prefix>, e.g. ip6:2001:db8::/32
DefaultA bare address with no prefix length matches that single IP (/128).
Where it goesBetween v=spf1 and the final all, usually right next to its ip4 siblings.

How ip6: works

ip6: is the IPv6 twin of ip4: — literal addresses written into the record, evaluated with zero DNS lookups. One host is ip6:2001:db8::1; a network is CIDR notation like ip6:2001:db8::/32.

It's easy to forget, and forgetting has consequences on dual-stack infrastructure. If your server has an AAAA record, connections to v6-capable receivers often go over IPv6 — and if your record only lists ip4: terms, that mail comes from an address you never authorized. Receivers are stricter on IPv6 paths, too: Gmail has long required that mail delivered over IPv6 come from IPs with valid reverse DNS and pass authentication, because the reverse-DNS heuristics that give IPv4 mail the benefit of the doubt don't extend to v6.

In practice: list both families for your own infrastructure, and let provider includes carry their own v6 ranges — the big providers already publish them.

Correct record vs common mistake

Correct

v=spf1 ip4:192.0.2.10 ip6:2001:db8::1 -all

Both address families for the same server — receivers that connect over IPv6 still see an authorized IP.

Common mistake

v=spf1 ip4:192.0.2.10 -all

Not a syntax error — an omission. If this server also has an IPv6 address, mail delivered over v6 comes from an unlisted IP and hardfails.

Generate your SPF record

Build a correct SPF record for your domain — add your senders, copy the TXT record. Free, no signup.

Who sends email for this domain?

Each service adds its documented include mechanism.

From your provider's docs, e.g. spf.example-esp.com — commas or spaces between multiple. Some services (Klaviyo, HubSpot, Mailchimp Transactional) authenticate through their own CNAME records instead of a shared include — check their DNS settings page.

How should receivers treat everyone else?

Your SPF record

0/10 DNS lookups

Publish as a TXT record at the domain root. One SPF record per domain — if one exists, merge into it instead of adding another.

Host / Name

yourdomain.com (or @)

Value (TXT)

v=spf1 ~all

Record type: TXT · ip4/ip6 mechanisms don't count against the 10-lookup limit.

Nothing is authorized yet — this record would tell receivers that no server may send for your domain. Select your email providers above (or tick the parked-domain option if that's intended).

After you publish

  1. Add the TXT record at your DNS host.
  2. Verify it with the free SPF checker.
  3. SPF alone doesn't stop spoofing — pair it with DKIM and a DMARC policy. Generate one with the DMARC record generator.

Troubleshooting ip6:

IssueLikely causeFix
Gmail failing SPF that passes elsewhereThe message was delivered over IPv6 and only ip4 terms are listedRead the v6 connecting IP from the received headers and add the ip6 term (or the host's /64)
Unsure whether a server sends over IPv6Dual-stack hosts prefer v6 when the receiver supports itCheck for an AAAA record on the sending host and inspect received headers at v6-capable receivers
DNS editor rejects the ip6 syntaxMalformed address, or a range missing its prefix lengthUse ip6:<address> for one host or ip6:<network>/<prefix> for a range, e.g. ip6:2001:db8::/32

See this on your own domain

Enter your domain — the check runs instantly on the next page. Free, no signup.

Why it matters for MSPs

One template omission, repeated across every tenant: the day a client's host enables IPv6 — often a hosting-provider default, not a decision — Gmail starts failing that tenant's SPF while your monitoring, testing over IPv4, sees green. Multiply by 100+ client domains on assorted hosting stacks and “works for us, fails at Gmail” becomes a recurring, confusing ticket class.

Trusted by MSPs

Palisade allowed our team to deploy DMARC on our domains in minutes instead of hours and making sure our clients are compliant with cutting edge security recommendations from Microsoft.
Alvin KalliAlvin Kalli CSIO, MSP Corp
Partner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner Logo

Enforce it — don't just monitor it

DMARC aggregate reports break out the actual sending IPs — IPv6 included — so an unauthorized v6 path shows up as evidence, not as a mystery Gmail complaint. Palisade reads those reports for every client domain and aligns each real source before advancing the policy toward `p=reject`.

Free 15-day trial · No credit card · Your own domain free forever (NFR)

Frequently asked questions

If the sending host has an IPv6 address (an AAAA record), yes — v6-capable receivers will often get the connection over IPv6, and that address must be authorized. If your infrastructure is genuinely v4-only, you don't.

No — like ip4, it's evaluated without any DNS query. Both are free and ideal for fixed infrastructure.

Check whether the failures are on IPv6 deliveries. Dual-stack servers use v6 when the receiver offers it, and if only ip4 terms are listed, exactly those messages fail. The connecting IP in the received header settles it.

Related terms

What is SPF? Sender Policy Framework explained