A situation that might arise is that you already have an SPF record on your domain but you want to allow a new IP address or range of IPs to send email from your domain.
The first thing to keep in mind is that you cannot have more than one SPF record, so make sure you modify the existing one. This is very important as multiple SPF records will produce an error and prevent the SPF check from succeeding, according to the specification.
If you need a refresher on SPF, the syntax and how to build the TXT record, read our How to setup SPF guide.
Adding a single IPv4 or IPv6
Let’s say your TXT record looks like this:
v=spf1 include:_spf.google.com ~all
To allow a single IPv4 address, like 192.0.2.0, add an ip4 directive:
v=spf1 include:_spf.google.com ip4:192.0.2.0 ~all
It doesn’t really matter if you put it before or after the existing directives, as long as it’s before the ~all or -all and after the initial v=spf1 tag. Also make sure that you add a space before ip4 and after the IPv4 address.
In the case of IPv6, you should use the ip6 directive. Here’s an example with a random IPv6:
v=spf1 include:_spf.google.com ip6:2a00:1450:4002:410::200e ~all
If you’re wondering whether the colons in the IPv6 address mess up with the SPF syntax, they don’t: this is the correct format as specified by the standard.
Adding an IP range
SPF supports the CIDR syntax, so you can add a whole IPv4 or IPv6 subnet or prefix in an SPF directive.
Here’s an example:
v=spf1 include:_spf.google.com ip4:192.0.2.0/24 ~all
There’s nothing special about it and it works as you would expect.
If you already have IP ranges in your SPF record and want to add a new one, you should try to merge overlapping or contiguous ranges. There are online tools and CLI tools if you don’t want to do that manually.
This is it. Remember that SPF alone isn’t enough to prevent email spoofing, i.e. preventing other people from abusing your domain. For that you would need DMARC; you can learn more about it here.