DANE for email: who can use it, who can't — and what to use instead
DANE needs DNSSEC and TLSA at the MX — only the mail server operator can do that. Who supports it, who doesn't, and what to use otherwise.
English
Step by step, per provider, verified against primary sources.
DANE needs DNSSEC and TLSA at the MX — only the mail server operator can do that. Who supports it, who doesn't, and what to use otherwise.
Pick your host and jump straight to its SPF, DKIM, DMARC, TLS-RPT, MTA-STS, DANE and BIMI guides — from IONOS to Microsoft 365 to Mailcow.
Why MTA-STS isn't a toggle at the German shared hosts — and which paths remain open to you anyway.
SPF, DKIM and DMARC aren't alternatives — they're a stack. What each one does, why DMARC ties them together, and how to reach enforcement safely.
SPF, DKIM and DMARC prove who sent your mail; TLS, MTA-STS and DANE protect it in transit. The full stack, explained — with links to every setup guide.
BIMI at All-Inkl: the default._bimi TXT record in the KAS — plus the real prerequisites DMARC, SVG logo, and VMC.
BIMI at checkdomain: the default._bimi TXT record in the pro settings — plus DMARC, SVG logo, and VMC.
BIMI at Cloudflare: the default._bimi TXT record in the dashboard — plus DMARC, SVG logo, and VMC.
BIMI at domainfactory: the default._bimi TXT record in the nameserver settings — plus DMARC, SVG logo, and VMC.
BIMI at Gandi: the default._bimi TXT record in LiveDNS — plus DMARC, SVG logo, and VMC.
BIMI at GoDaddy: the default._bimi TXT record in the Domain Portfolio — plus DMARC, SVG logo, and VMC.
BIMI for Google Workspace: the default._bimi TXT at the DNS host — Gmail shows the logo only with a VMC/CMC.
BIMI at Hetzner: the default._bimi TXT record in the Console — plus DMARC, SVG logo, and VMC.
BIMI at IONOS: the default._bimi TXT record — plus the real prerequisites DMARC, SVG logo, and VMC.
BIMI for Mailcow: the default._bimi TXT record — you host the logo yourself, plus DMARC and VMC.
BIMI for Microsoft 365: the default._bimi TXT at the DNS host — plus DMARC, SVG logo, and VMC. Outlook shows BIMI with a VMC.
BIMI at Netcup: the default._bimi TXT record in the CCP — plus the real prerequisites DMARC, SVG logo, and VMC.
BIMI at OVHcloud: the default._bimi TXT record — plus the real prerequisites DMARC, SVG logo, and VMC.
BIMI at Amazon Route 53: the default._bimi TXT record in the console — plus DMARC, SVG logo, and VMC.
BIMI at Strato: the default._bimi TXT record — plus the real prerequisites DMARC, SVG logo, and VMC.
BIMI at united-domains: the default._bimi TXT record — plus the real prerequisites DMARC, SVG logo, and VMC.
DKIM at All-Inkl: the TXT (DKIM) record in the KAS with your own selector — step by step with verification.
DKIM at checkdomain: one switch under Emails → Security — enables SPF and DKIM together.
DKIM at Cloudflare: publish the public key as a selector._domainkey TXT record — for Cloudflare Email Service or your own mail server.
DKIM at domainfactory: no wizard, but a TXT record with your sending service's key.
DKIM at Gandi: one toggle with LiveDNS — plus the 3 CNAME entries for external DNS.
DKIM at GoDaddy: no bare-domain wizard — your mail product generates the key, you publish it as a CNAME or TXT record.
DKIM for Google Workspace: generate the key in the Admin console, enter the google._domainkey TXT at your domain host.
DKIM at Hetzner: konsoleH generates the key pair automatically — plus the TXT route for external DNS and your own servers.
DKIM at IONOS: active by default — plus the 3 CNAME entries for external DNS.
DKIM for Mailcow: generate the key in the UI, put the dkim._domainkey TXT in DNS — step by step with verification.
DKIM for Microsoft 365: two CNAME selectors, activation in the Defender portal — incl. the new format since May 2025.
DKIM at Netcup: two CNAME entries in the CCP — key1 and key2 are both mandatory.
DKIM at OVHcloud: one-click activation for MX Plan/Email Pro, or two CNAMEs for external DNS — step by step.
DKIM at Amazon Route 53: CNAME records for SES-style delegation or a TXT public key for your own server — with the Route 53 apex caveat.
DKIM at Strato: automatically active via smtp.strato.de — plus the CNAME selectors for your own nameservers.
DKIM at united-domains: automatically enabled for mailbox domains — except with external nameservers.
DMARC at All-Inkl: adjusting the pre-set _dmarc record — incl. authorizing external report addresses.
DMARC at checkdomain: the _dmarc TXT record and the safe path from p=none to p=reject.
DMARC at Cloudflare: create the _dmarc TXT yourself in the dashboard — safely from p=none to p=reject.
DMARC at domainfactory: create the _dmarc TXT yourself in the nameserver settings.
DMARC at Gandi: create the _dmarc TXT in LiveDNS — safely from p=none to p=reject.
DMARC at GoDaddy: the _dmarc TXT record in the Domain Portfolio — GoDaddy's ready value, safely staged to enforcement.
DMARC for Google Workspace: the _dmarc TXT at the domain host — the safe path from p=none to p=reject.
DMARC at Hetzner: create the _dmarc TXT yourself in the DNS zone — safely from p=none to p=reject.
DMARC at IONOS: the _dmarc TXT record and the safe path from p=none to p=reject.
DMARC for Mailcow: the _dmarc TXT record and the safe path from p=none to p=reject.
DMARC for Microsoft 365: the _dmarc TXT at the domain host — incl. the peculiarity of the high-risk outbound pool.
DMARC at Netcup: create the _dmarc TXT yourself in the CCP — safely from p=none to p=reject.
DMARC at OVHcloud: the _dmarc record via the DNS-zone assistant — start at p=none, then tighten.
DMARC at Amazon Route 53: create the _dmarc TXT yourself in the hosted zone — safely from p=none to p=reject.
DMARC at Strato: default rule or your own _dmarc record — and why Strato itself sends no reports.
DMARC at united-domains: from p=none to p=reject via radio buttons — and securing unused domains right away.
SPF at All-Inkl: the correct TXT entry in the KAS — step by step with verification.
SPF at checkdomain: the correct TXT entry in the pro settings — step by step with verification.
SPF at Cloudflare: publishing the TXT record in the dashboard for your mail provider — step by step with verification.
SPF at domainfactory: the wizard in the nameserver settings — step by step with verification.
SPF at Gandi: step by step to the correct TXT record in LiveDNS — including verification.
SPF at GoDaddy: the TXT record in the Domain Portfolio — the ready value for GoDaddy mail, step by step with verification.
SPF for Google Workspace: the right TXT entry at your domain host — with Google's own combined examples.
SPF at Hetzner DNS: writing the record for your own mail server — step by step with verification.
SPF at IONOS: step by step to the correct DNS record — including verification.
SPF for Mailcow: the right TXT entry for your own mail server — including PTR and IPv6.
SPF for Microsoft 365: the right TXT entry at your DNS provider — with Microsoft's own recommendations.
SPF at Netcup: the correct TXT record in the CCP — step by step with verification.
SPF at OVHcloud: the built-in SPF assistant or your own record — step by step with verification.
SPF at Amazon Route 53: writing the TXT record for your own mail server — step by step with verification.
SPF at Strato: predefined rule or your own record — step by step with verification.
SPF at united-domains: one click under Email security — plus the manual path for your own mail servers.
TLS-RPT at All-Inkl: the _smtp._tls TXT record in the KAS — for TLS delivery reports.
TLS-RPT at checkdomain: the _smtp._tls TXT record in the pro settings — for TLS delivery reports.
TLS-RPT at Cloudflare: the _smtp._tls TXT record in the dashboard — the reporting companion to MTA-STS.
TLS-RPT at domainfactory: the _smtp._tls TXT record in the nameserver settings.
TLS-RPT at Gandi: the _smtp._tls TXT record in LiveDNS — value under a subhost name.
TLS-RPT at GoDaddy: the _smtp._tls TXT record in the Domain Portfolio — a standard record GoDaddy doesn't document, but readily hosts.
TLS-RPT for Google Workspace: the _smtp._tls TXT record for TLS delivery reports — as a companion to MTA-STS.
TLS-RPT at Hetzner: the _smtp._tls TXT record in the Console — value in quotation marks.
TLS-RPT at IONOS: the _smtp._tls TXT record in DNS management — for TLS delivery reports.
TLS-RPT for Mailcow: the _smtp._tls TXT record for TLS delivery reports — companion to MTA-STS and DANE.
TLS-RPT for Microsoft 365: the _smtp._tls TXT record for TLS delivery reports — companion to MTA-STS.
TLS-RPT at Netcup: the _smtp._tls TXT record in the CCP — for TLS delivery reports.
TLS-RPT at OVHcloud: the _smtp._tls TXT record via the DNS-zone assistant — for TLS delivery reports.
TLS-RPT at Amazon Route 53: the _smtp._tls TXT record in the console — value in double quotes.
TLS-RPT at Strato: the _smtp._tls TXT record via gear → DNS — for TLS delivery reports.
TLS-RPT at united-domains: the _smtp._tls TXT record via the DNS entries — for TLS delivery reports.