Last updated: July 2026

In short: The standards are the same everywhere, but the buttons are not. Find your host below and jump straight to its guides. New to the topic? Start with what email authentication is and how SPF, DKIM and DMARC fit together, then come back here for the click-by-click steps.

Every guide covers one standard for one provider, with the exact panel path, the ready-made record, common mistakes, and how to verify. A good order is SPF → DKIM → DMARC → transport (MTA-STS/DANE, TLS-RPT) → BIMI, as laid out in the full stack overview.

German shared hosts

These are DNS-plus-mailbox providers common in the DACH region. All support SPF, DKIM, DMARC, TLS-RPT and BIMI through their DNS panels. None publish TLSA records for their MX, so DANE isn’t available to their customers — and MTA-STS is impractical on most because you can’t host the required policy subdomain over HTTPS with a valid certificate. See MTA-STS at shared hosts for the full explanation.

IONOS

Germany’s largest hoster; SPF is pre-activated by default.

Strato

Popular budget host; DNS records are managed under “Domainverwaltung”.

Netcup

Technical host with a flexible DNS console (CCP).

All-Inkl

Well-regarded host with the KAS admin panel.

domainfactory

Established host with a straightforward DNS editor.

united-domains

Domain-focused registrar; watch its portal’s handling of longer TXT values.

checkdomain

Registrar and host with a clean DNS interface.

DNS specialists

Pure DNS hosts (no mailboxes) — the common choice when you run mail elsewhere but want your zone here. You write every record yourself.

Hetzner DNS

Clean console and full record control.

Cloudflare

The world’s most-used DNS; mind the proxy toggle — DNS-only for mail records.

Amazon Route 53

AWS’s DNS service; changes typically propagate within 60 seconds.

International registrars & hosts

Registrar-plus-mail providers outside the DACH region. Same picture as the German shared hosts: SPF, DKIM, DMARC, TLS-RPT and BIMI work through their DNS panels; DANE and managed MTA-STS don’t (see MTA-STS at shared hosts and DANE: who can use it).

Gandi

Registrar with LiveDNS and its own mail platform (Gandi Mail).

OVHcloud

Europe’s largest hoster; MX Plan / Email Pro with auto-configured DKIM.

GoDaddy

The world’s largest registrar; email usually via resold Microsoft 365.

Cloud email suites

Hosted mail platforms. Both add the transport layer: MTA-STS is available on each, and Microsoft 365 additionally supports inbound DANE.

Microsoft 365 (Exchange Online)

The one major hosted platform that can do DANE, via DNSSEC and PowerShell activation.

Google Workspace

Relies on MTA-STS for enforced inbound transport (it publishes no TLSA records).

Self-hosted

Mailcow

The dockerized mail server. Run your own MX and you get the full deck — including DANE, because you control both the DNS zone and the MX certificate.

Not sure the transport layer applies to you?

DANE and MTA-STS have prerequisites not every setup meets. Two explainers sort out who can use what:

Verify the result

Whatever your host, run your domain through the free MXAudit scanner when you’re done. It checks SPF, DKIM, DMARC, MTA-STS, DANE, TLS-RPT and BIMI in a single pass and tells you exactly what’s still missing.