SPF ip4 and ip6 Mechanisms: Authorizing IP Addresses
Learn how to use SPF ip4 and ip6 mechanisms to authorize IP addresses. Covers syntax, CIDR ranges, IP vs include, and common mistakes.
Last updated: 2026-05-17
When you build an SPF record, you're telling the world which servers are allowed to send email for your domain. The ip4 and ip6 mechanisms, defined in RFC 7208, let you authorize specific IP addresses directly—without referencing another domain's SPF record. This guide explains how they work, when to use them, and common mistakes to avoid. For a comprehensive overview of all SPF mechanisms, see our complete SPF guide.
What Do ip4 and ip6 Do?
The ip4 mechanism authorizes an IPv4 address (the traditional format like 192.0.2.1) to send email for your domain. The ip6 mechanism does the same thing for IPv6 addresses (the newer, longer format like 2001:db8::1).
When a receiving mail server checks your SPF record and sees an ip4 or ip6 entry, it compares the sending server's IP address against that value. If it matches, the SPF check passes.
Here's a simple example:
v=spf1 ip4:192.0.2.1 ~all
This record says: "The server at IP address 192.0.2.1 is authorized to send email for my domain. Treat everything else with suspicion."
The Syntax
The syntax is straightforward. You write the mechanism name, a colon, and then the IP address or range.
Single IPv4 address:
ip4:192.0.2.1
Single IPv6 address:
ip6:2001:db8::1
IPv4 range (using CIDR notation):
ip4:192.0.2.0/24
IPv6 range (using CIDR notation):
ip6:2001:db8::/32
You can include multiple ip4 and ip6 entries in a single record:
v=spf1 ip4:192.0.2.1 ip4:198.51.100.0/24 ip6:2001:db8::/32 ~all
CIDR Notation: Authorizing a Range of IPs
If you need to authorize a block of IP addresses rather than a single one, you use CIDR notation. This is the number after the slash that defines how large the range is.
Think of it this way: the number after the slash tells the system how many addresses are included.
/32= exactly 1 address (the default if you don't specify)/24= 256 addresses (e.g., 192.0.2.0 through 192.0.2.255)/16= 65,536 addresses
For IPv6, the concept is identical but the numbers are larger (/128 = one address, /64 = a standard subnet).
Keep ranges as narrow as possible
Only authorize the IP addresses you actually use. A range like /16 authorizes over 65,000 addresses. If an attacker controls any one of those addresses, they could send email pretending to be you. Stick to the smallest range that covers your servers.
When to Use ip4/ip6 vs include
You have two main ways to authorize senders in SPF: the ip4/ip6 mechanisms for direct IP authorization, and the include mechanism that references another domain's SPF record. Each approach has trade-offs.
| Feature | ip4/ip6 | include |
|---|---|---|
| DNS lookups | None (doesn't count toward 10-lookup limit) | At least 1 per include statement |
| Maintenance | You must update manually if IPs change | The provider maintains their own record |
| Best for | Servers with static, dedicated IPs | Cloud email services with changing infrastructure |
| Record length | Can get long with many IPs | Short—just one include per service |
| Accuracy | Always current (you control it) | Always current (provider controls it) |
Use ip4/ip6 when:
- You run your own mail server with a fixed IP address
- Your hosting provider has given you a dedicated IP that won't change
- You're hitting the 10 DNS lookup limit and need to reduce lookups
- You want to authorize a specific server without trusting an entire provider's infrastructure
Use include when:
- You're using a cloud email service like Google Workspace, Microsoft 365, or SendGrid
- The provider's sending IPs could change without notice
- The provider tells you to use an include statement in their documentation
In practice, most businesses use a mix of both. You might use include for your email platform and ip4 for your own web server that sends transactional emails.
The Big Advantage: No DNS Lookup Cost
Every include, a, mx, and redirect mechanism in your SPF record costs at least one DNS lookup—and per RFC 7208, Section 4.6.4, you're limited to 10 total. Go over the limit, and your entire SPF record breaks with a PermError.
The ip4 and ip6 mechanisms are different: they cost zero DNS lookups. The receiving server can evaluate them immediately without making additional DNS queries.
This makes IP-based authorization a powerful tool when you're running out of lookups. If a service sends from a small set of static IPs, you can replace its include with direct ip4 entries and save those lookups for services that need them.
Read more about this in our guide on the SPF 10 DNS lookup limit.
Only flatten when necessary
Replacing includes with IP addresses (sometimes called "SPF flattening") means you take on the responsibility of keeping those IPs up to date. If the provider changes their IPs and you don't update your record, emails from that provider will fail SPF. Only do this when you genuinely need to reduce lookups. See our guide on SPF flattening for more detail.
Common Mistakes
Forgetting the ip4 or ip6 prefix
Writing just the IP address without the mechanism name won't work:
# Wrong
v=spf1 192.0.2.1 ~all
# Correct
v=spf1 ip4:192.0.2.1 ~all
Using the wrong CIDR prefix length
A /24 range authorizes 256 addresses. If you only need to authorize one server, don't use a range—just use the single IP:
# Unnecessarily broad
v=spf1 ip4:192.0.2.0/24 ~all
# If you only use 192.0.2.1
v=spf1 ip4:192.0.2.1 ~all
Missing the CIDR prefix entirely for a range
If your hosting provider says "your IPs are in the 192.0.2.0/24 range," make sure you include the /24. Without it, you're only authorizing the single address 192.0.2.0:
# Only authorizes 192.0.2.0
ip4:192.0.2.0
# Authorizes the full range
ip4:192.0.2.0/24
Confusing ip4 with IPv4 addresses in include statements
The include mechanism takes a domain name, not an IP address. This is wrong:
# Wrong—include needs a domain
include:192.0.2.1
# Correct
ip4:192.0.2.1
Finding the Right IPs to Add
Not sure which IP addresses to authorize? Here are a few ways to find out:
- Ask your email provider. They can tell you the sending IPs for your account.
- Check email headers. Look at the headers of successfully delivered emails—the sending IP is listed there.
- Check your server configuration. If you run your own mail server, your hosting provider can confirm the outbound IP.
If you need help building or updating your SPF record with the right IP addresses, SPF Creator can generate the correct syntax automatically.
Verify Your Record
After adding ip4 or ip6 entries to your SPF record, use the checker above to confirm the record is valid. Send a test email and check the headers to verify spf=pass.
For complete authentication, also set up DKIM and DMARC alongside your SPF record.
References
- RFC 7208: Sender Policy Framework (SPF) — The current SPF specification, including
ip4andip6mechanism definitions - RFC 7208, Section 4.6.4: DNS Lookup Limits — Why
ip4/ip6are advantageous (no lookup cost)
Never miss an SPF issue
Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.
Start Monitoring