5.1.9. Dealing with SPF records If the DNS64 server receives a SPF-record (within either the TXT-RR or the SPF-RR ) containing the "ip4" mechanism, it MUST rewrites the ipv4 address according to the same rules as an A-RR and synthesize a new SPF record within the response that contains it as an additional "ip6" entry. If an ip4-cidr-length is present, it gets converted as well (adding 96 will generate the new ip6-cidr-length). The original "ip4" mechanism MUST NOT be removed from the response. If any "a" or "mx" mechanism contains a dual-cidr-length without an ip6-cidr-length, it also gets generated. E.g.: "v=spf1 a:a.example.com/24 mx:mx.example.com/24 ip4:192.0.0.1/32 -all" becomes: "v=spf1 a:a.example.com/24/120 mx:mx.example.com/24/120 ip4:192.0.0.1/32 ip6:64:ff9b::c000:1/128 -all" NOTE: Everything else is done by the SPF validator (as already defined in the standard). * When it checks a.example.com, it'll query the A-RR and AAAA-RR and thereby get a response containing the synthesized AAAA-RR and validation will pass accordingly. * When it checks the NAT64 generated IPv6 source address against the SPF, it'll find the "ip6" mechanism and also pass. * For any macro-string, the SPF validator will generate new DNS lookups, which will be rewritten according to this RFC and therefore pass as expected.

This mechanism is used to construct an arbitrary domain name that is used for a DNS A record query.

This mechanism is used to construct an arbitrary domain name that is used for a dual DNS A-RR and AAAA-RR query.

The <domain-spec> is expanded as per Section 7. The resulting domain name is used for a DNS A RR lookup (even when the connection type is IPv6). If any A record is returned, this mechanism matches.

The <domain-spec> is expanded as per Section 7. The resulting domain name is used for a DNS A-RR and AAAA-RR lookup, depending on when the host is single-stack IPv6 or IPv4. For dual-stack, an SPF resolver MUST query both. If any A or AAAA record is returned, this mechanism matches.