Last updated: July 2026
In short: The standards are the same everywhere, but the buttons are not. Find your host below and jump straight to its guides. New to the topic? Start with what email authentication is and how SPF, DKIM and DMARC fit together, then come back here for the click-by-click steps.
Every guide covers one standard for one provider, with the exact panel path, the ready-made record, common mistakes, and how to verify. A good order is SPF → DKIM → DMARC → transport (MTA-STS/DANE, TLS-RPT) → BIMI, as laid out in the full stack overview.
German shared hosts
These are DNS-plus-mailbox providers common in the DACH region. All support SPF, DKIM, DMARC, TLS-RPT and BIMI through their DNS panels. None publish TLSA records for their MX, so DANE isn’t available to their customers — and MTA-STS is impractical on most because you can’t host the required policy subdomain over HTTPS with a valid certificate. See MTA-STS at shared hosts for the full explanation.
IONOS
Germany’s largest hoster; SPF is pre-activated by default.
Strato
Popular budget host; DNS records are managed under “Domainverwaltung”.
Netcup
Technical host with a flexible DNS console (CCP).
All-Inkl
Well-regarded host with the KAS admin panel.
domainfactory
Established host with a straightforward DNS editor.
united-domains
Domain-focused registrar; watch its portal’s handling of longer TXT values.
checkdomain
Registrar and host with a clean DNS interface.
DNS specialists
Pure DNS hosts (no mailboxes) — the common choice when you run mail elsewhere but want your zone here. You write every record yourself.
Hetzner DNS
Clean console and full record control.
Cloudflare
The world’s most-used DNS; mind the proxy toggle — DNS-only for mail records.
Amazon Route 53
AWS’s DNS service; changes typically propagate within 60 seconds.
International registrars & hosts
Registrar-plus-mail providers outside the DACH region. Same picture as the German shared hosts: SPF, DKIM, DMARC, TLS-RPT and BIMI work through their DNS panels; DANE and managed MTA-STS don’t (see MTA-STS at shared hosts and DANE: who can use it).
Gandi
Registrar with LiveDNS and its own mail platform (Gandi Mail).
OVHcloud
Europe’s largest hoster; MX Plan / Email Pro with auto-configured DKIM.
GoDaddy
The world’s largest registrar; email usually via resold Microsoft 365.
Cloud email suites
Hosted mail platforms. Both add the transport layer: MTA-STS is available on each, and Microsoft 365 additionally supports inbound DANE.
Microsoft 365 (Exchange Online)
The one major hosted platform that can do DANE, via DNSSEC and PowerShell activation.
Google Workspace
Relies on MTA-STS for enforced inbound transport (it publishes no TLSA records).
Self-hosted
Mailcow
The dockerized mail server. Run your own MX and you get the full deck — including DANE, because you control both the DNS zone and the MX certificate.
Not sure the transport layer applies to you?
DANE and MTA-STS have prerequisites not every setup meets. Two explainers sort out who can use what:
- DANE for email: who can use it, who can’t — the DNSSEC + TLSA requirement, and why most shared-hosting customers can’t deploy it.
- MTA-STS at shared hosts — where the HTTPS policy requirement makes MTA-STS practical, and where it doesn’t.
Verify the result
Whatever your host, run your domain through the free MXAudit scanner when you’re done. It checks SPF, DKIM, DMARC, MTA-STS, DANE, TLS-RPT and BIMI in a single pass and tells you exactly what’s still missing.
