Last updated: July 2026
In short: The
ip4andip6mechanisms authorize individual IP addresses or entire CIDR subnets directly within your SPF record. Their biggest architectural benefit: they consume zero DNS lookups during evaluation.
If your mail servers operate on dedicated IPv4 or IPv6 addresses, or if your hosting infrastructure assigned you specific static subnets, declaring them via ip4 and ip6 is the cleanest and most reliable way to authorize them in your Sender Policy Framework (SPF) record.
How the ip4 and ip6 mechanisms operate
Under RFC 7208, these mechanisms test whether the connecting mail server’s IP address (<ip>) is contained within a given IP network. Because the network range is hardcoded directly into the TXT string, the receiving mail server evaluates the IP match directly in memory without initiating any external network queries.
You can specify individual CIDR network blocks:
v=spf1 ip4:192.0.2.0/24 -all
Or combine single IP addresses across both IPv4 and IPv6:
v=spf1 ip4:192.0.2.10 ip6:2001:db8::/32 -all
Default CIDR prefix lengths when omitted
If you do not append a slash and CIDR network prefix to the IP address, SPF applies standard defaults automatically. According to RFC 7208, if ip4-cidr-length is omitted, it is taken to be /32 (matching exactly one IPv4 address). If ip6-cidr-length is omitted, it is taken to be /128 (matching exactly one IPv6 address).
Writing ip4:192.0.2.10 is therefore functionally identical to writing ip4:192.0.2.10/32.
Zero DNS lookups: the major performance advantage
The primary operational advantage of ip4 and ip6 is evaluation speed and lookup conservation. RFC 7208 explicitly establishes that the all, ip4, and ip6 mechanisms, as well as the exp modifier, do not cause DNS queries at the time of SPF evaluation. Consequently, their use is not subject to the strict limit of 10 DNS queries per authentication check.
While mechanisms like include, a, and mx force the receiving server to perform external DNS lookups—consuming time and counting against your 10-lookup budget—ip4 and ip6 terms evaluate instantaneously. Organizations running dedicated servers or static cloud infrastructure can frequently replace deep include chains with direct IP ranges, eliminating the risk of permerror (permanent error).
Note, however, that a domain must not publish multiple separate SPF records. Publishing more than one record for a single domain name immediately triggers a permerror during evaluation regardless of how many ip4 or ip6 terms you use.
Verifying your configuration
To confirm that all your IP network notations are syntactically valid and that your record evaluates cleanly, test your domain using the free MXAudit scanner. It breaks down your exact mechanism structure and confirms which terms run lookup-free versus those requiring DNS queries.
For comprehensive architectural guidance or control-panel instructions, check out the SPF hub and setup guides like IONOS SPF setup.
Further reading
- RFC 7208 — Sender Policy Framework (SPF) (retrieved: July 16, 2026)