My isp only give me one ipv6 address no any prefix unless I bridge WAN and LAN

doktornotor

You need ip4:x.x.x.x in there besides the ip6 in the TXT record. If you are only sending mail from the one MX, all you need is:

Like:

example.org.      2256    IN      TXT     "v=spf1 mx ~all"

(Meanwhile, if you got yourself a spammer reputation on that /64 already, you'd be better off deleting the tunnel and requesting a new one with HE. Also, I'd make sure any outbound SMTP is blocked from LAN, except for the mailserver IP. Otherwise, requesting new prefixes over and over again gets annoying quickly…)

awebster

Thanks very much dok!

You put me on the right track.  Problem was subtle, but makes sense now in hindsight.
I had stacked the SPF records, just as Google does, but if you put a "a" or "mx" inside the TXT record it is applying it to the fqdn of the stacked record, not the base record from which it was included originally.
So while I had _spf.example.org.  IN TXT  "v=spf1 a mx ip4:72.x.x.x ~all", the SPF parser was looking for an A and MX record in _spf.example.org, not in example.org which included _spf.example.org.

I've cleaned it up, folded mail6 back into mail and I'll give it another spin.  Strange though that it never has issues with IPv4 delivery, yet that is where the source of the problem lies.