Email DNS Check

SPF IPv6 Misconfiguration

SPF IPv6 misconfiguration happens when a domain sends email from IPv6-enabled infrastructure but the SPF record does not authorize the correct IPv6 ranges. SPF checks the actual connecting IP address, so if a provider sends over IPv6 and your record only covers IPv4, authentication can fail even though the sender itself is legitimate.

One-Minute Fix

Make sure your SPF record includes the correct ip6 mechanisms or a provider include that already covers the IPv6 sending ranges.

Correct IPv6 SPF entry
DNS TXT
v=spf1 ip6:2001:db8::/32 include:_spf.google.com ~all

Use the exact IPv6 range published by the provider or relay that actually sends your mail. Do not guess the network block.

Re-check

Wrong vs correct setup

Wrong IPv6 setup

Wrong IPv6 setup
DNS TXT
v=spf1 ip4:198.51.100.10 ~all

This can be incomplete if your email provider also delivers mail over IPv6. SPF may pass on IPv4 but fail on IPv6.

Correct IPv6-aware setup

Correct IPv6-aware setup
DNS TXT
v=spf1 ip4:198.51.100.10 ip6:2001:db8::/32 ~all

This covers both IPv4 and IPv6 paths, which is important if your sender uses dual-stack infrastructure.

Why this happens

Many domains were originally configured when IPv4 was the default assumption. Later, the mail provider or relay starts using IPv6 for part of its delivery path, but SPF is never updated to reflect that change.

Why this is a problem

  • SPF may pass on IPv4 but fail on IPv6 for the same sender.
  • Authentication results become inconsistent between recipients.
  • DMARC may fail when SPF was expected to provide alignment.
  • Troubleshooting becomes confusing because the sender appears valid in some places but not others.

How this affects deliverability

When IPv6 mail is not authorized in SPF, mailbox providers may see inconsistent authentication behavior from the same domain. That weakens trust and can make inbox placement less stable.

Common causes

  • The provider sends over IPv6 but SPF only lists IPv4 mechanisms.
  • An incorrect or incomplete ip6 range was pasted into DNS.
  • A relay or secure gateway changed outbound delivery to IPv6.
  • A provider include was replaced with manual SPF entries that no longer cover both IP families.

What we checked

We reviewed whether the SPF policy is capable of authorizing the actual sending path, including IPv6 where relevant, rather than only an older IPv4-only path.

Live DNS lookup. No login. No saved domains. No tracking.

FAQ

Do I always need ip6 in SPF?

No. You only need ip6 if your provider or relay actually sends mail from IPv6 addresses.

Can I use a provider include instead of manual ip6 entries?

Yes. In many cases that is safer, because the provider maintains the underlying IP ranges for you.

Why does SPF pass for some emails but fail for others?

One common reason is that some messages go out over IPv4 while others leave through IPv6, and your SPF record only covers one of those paths.

Next steps

  • Confirm whether your sending provider or relay uses IPv6 at all.
  • Collect a real sending IP from headers before editing SPF.
  • Add the correct ip6 mechanism or restore the provider include.
  • Remove outdated IPv6 entries that do not match your current mail flow.
  • Send a fresh test email and verify SPF from real headers.
  • Review the full troubleshooting guidance in the SPF Hub.
  • Check signing and selector issues in the DKIM Hub.
  • Review alignment and policy issues in the DMARC Hub.

Related fixes

Explore more issues