Now it works.

Setting up SPF on a domain that doesn't normally do email (specifically this one, mstevens.org), for experimental purposes.

Found one problem so far - I specified my SPF record as v=spf1 mx -all. I then sent a test email to google, and it was rejected with:

Received-SPF: fail (google.com: domain of mstevens@mstevens.org does not designate 2001:ba8:1f1:f1ef::2 as permitted sender) client-ip=2001:ba8:1f1:f1ef::2;
Authentication-Results: mx.google.com; spf=hardfail (google.com: domain of mstevens@mstevens.org does not designate 2001:ba8:1f1:f1ef::2 as permitted sender) smtp.mail=mstevens@mstevens.org; dkim=pass (test mode) header.i=@mstevens.org

The mx defined for the domain is on IPv4 and IPv6, and has A and AAAA records. I was expecting the SPF record above to mark both as valid, but google doesn't seem to interpret it as valid.

Looking at the discussion at a thread on the SPF mailing list I think it probably should be considered valid, although I'm not certain. Anyway, I've updated the SPF record with a ip6 entry for the specific IP address, hopefully that'll sort it. Possibly there's a bug in the google implementation, but I wouldn't know who to contact!

Waiting for the DNS to propagate and see if the change helps.