SPF glossary
What does ip6 mean in an SPF record?

By Samuel Chenard · CEO & Co-Founder, Palisade · Reviewed July 15, 2026
ip6: authorizes a literal IPv6 address or CIDR range — ip6:2001:db8::1 for one host, ip6:2001:db8::/32 for a block — exactly like ip4: does for IPv4, and it also costs zero DNS lookups. It matters more every year: receivers like Gmail treat IPv6 mail more strictly, so v6 paths need explicit authorization.
ip6: at a glance | |
|---|---|
| Tag | ip6 (mechanism) |
| Valid values | ip6:<IPv6 address> or ip6:<network>/<prefix>, e.g. ip6:2001:db8::/32 |
| Default | A bare address with no prefix length matches that single IP (/128). |
| Where it goes | Between v=spf1 and the final all, usually right next to its ip4 siblings. |
How ip6: works
ip6: is the IPv6 twin of ip4: — literal addresses written into the record, evaluated with zero DNS lookups. One host is ip6:2001:db8::1; a network is CIDR notation like ip6:2001:db8::/32.
It's easy to forget, and forgetting has consequences on dual-stack infrastructure. If your server has an AAAA record, connections to v6-capable receivers often go over IPv6 — and if your record only lists ip4: terms, that mail comes from an address you never authorized. Receivers are stricter on IPv6 paths, too: Gmail has long required that mail delivered over IPv6 come from IPs with valid reverse DNS and pass authentication, because the reverse-DNS heuristics that give IPv4 mail the benefit of the doubt don't extend to v6.
In practice: list both families for your own infrastructure, and let provider includes carry their own v6 ranges — the big providers already publish them.
Correct record vs common mistake
Correct
v=spf1 ip4:192.0.2.10 ip6:2001:db8::1 -allBoth address families for the same server — receivers that connect over IPv6 still see an authorized IP.
Common mistake
v=spf1 ip4:192.0.2.10 -allNot a syntax error — an omission. If this server also has an IPv6 address, mail delivered over v6 comes from an unlisted IP and hardfails.
Generate your SPF record
Build a correct SPF record for your domain — add your senders, copy the TXT record. Free, no signup.
Who sends email for this domain?
Each service adds its documented include mechanism.
From your provider's docs, e.g. spf.example-esp.com — commas or spaces between multiple. Some services (Klaviyo, HubSpot, Mailchimp Transactional) authenticate through their own CNAME records instead of a shared include — check their DNS settings page.
How should receivers treat everyone else?
Your SPF record
0/10 DNS lookupsPublish as a TXT record at the domain root. One SPF record per domain — if one exists, merge into it instead of adding another.
yourdomain.com (or @)
v=spf1 ~all
Record type: TXT · ip4/ip6 mechanisms don't count against the 10-lookup limit.
After you publish
- Add the TXT record at your DNS host.
- Verify it with the free SPF checker.
- SPF alone doesn't stop spoofing — pair it with DKIM and a DMARC policy. Generate one with the DMARC record generator.
Troubleshooting ip6:
| Issue | Likely cause | Fix |
|---|---|---|
| Gmail failing SPF that passes elsewhere | The message was delivered over IPv6 and only ip4 terms are listed | Read the v6 connecting IP from the received headers and add the ip6 term (or the host's /64) |
| Unsure whether a server sends over IPv6 | Dual-stack hosts prefer v6 when the receiver supports it | Check for an AAAA record on the sending host and inspect received headers at v6-capable receivers |
| DNS editor rejects the ip6 syntax | Malformed address, or a range missing its prefix length | Use ip6:<address> for one host or ip6:<network>/<prefix> for a range, e.g. ip6:2001:db8::/32 |
See this on your own domain
Enter your domain — the check runs instantly on the next page. Free, no signup.
Why it matters for MSPs
One template omission, repeated across every tenant: the day a client's host enables IPv6 — often a hosting-provider default, not a decision — Gmail starts failing that tenant's SPF while your monitoring, testing over IPv4, sees green. Multiply by 100+ client domains on assorted hosting stacks and “works for us, fails at Gmail” becomes a recurring, confusing ticket class.
Trusted by MSPs
“Palisade allowed our team to deploy DMARC on our domains in minutes instead of hours and making sure our clients are compliant with cutting edge security recommendations from Microsoft.”
Alvin Kalli — CSIO, MSP Corp

































Enforce it — don't just monitor it
DMARC aggregate reports break out the actual sending IPs — IPv6 included — so an unauthorized v6 path shows up as evidence, not as a mystery Gmail complaint. Palisade reads those reports for every client domain and aligns each real source before advancing the policy toward `p=reject`.
Free 15-day trial · No credit card · Your own domain free forever (NFR)