Last updated: July 2026

In short: The three foundational standards—SPF, DKIM, and DMARC—form the bedrock of modern email authentication. Our technical comparison across all 25 providers shows: while shared hosts often pre-activate SPF or offer simple setup wizards and 1-click DKIM activation, pure DNS specialists require manual entry of every record. Below is the comprehensive comparison table detailing exact activation paths and setup guides across all 25 providers.

Before your email travels across the transport layer (MTA-STS and DANE), receiving mail servers verify whether the message sender is genuine. That authentication relies on three core mechanisms detailed in our guide SPF, DKIM, and DMARC explained:

  1. SPF (Sender Policy Framework): Specifies via a DNS TXT record which IP addresses and mail servers are authorized to send email on behalf of your domain.
  2. DKIM (DomainKeys Identified Mail): Cryptographically signs outgoing messages (1024 or 2048 bit) so recipients can verify that the message content was not altered in transit.
  3. DMARC (Domain-based Message Authentication): Unifies SPF and DKIM and instructs receiving servers via a DNS policy what to do with unauthenticated emails (none, quarantine, or reject).

How easily you can deploy these standards—whether through automatic pre-activation, guided wizards, or manual DNS configuration—varies widely from one provider to the next.

Complete table: SPF, DKIM, and DMARC setup across all 25 providers

The table below outlines how all 25 providers from our technical matrix handle the configuration of SPF, DKIM, and DMARC, along with direct links to their step-by-step setup guides.

ProviderSPF SetupDKIM Activation PathDMARC SetupGuides & Setup Paths
All-InklTXT wizard / Manual in KAS1-click in KAS panel (generate key)TXT record in KAS DNS consoleSPF · DKIM · DMARC
checkdomainTXT wizard in Domain CenterGenerate key in mail panelTXT record in DNS editorSPF · DKIM · DMARC
domainfactoryTemplate / Manual in DNS editor1-click activation in email menuTXT record in DNS editorSPF · DKIM · DMARC
Google WorkspaceManual (include:_spf.google.com)Generate key in Admin Console (TXT)TXT record in DNS after alignmentSPF · DKIM · DMARC
Hetzner DNSManual TXT (full DNS access)Manual (publish CNAME/TXT from mail host)Manual TXT record in CCP consoleSPF · DKIM · DMARC
IONOSPre-activated (or manual TXT)1-click toggle under email settingsTXT record in domain managementSPF · DKIM · DMARC
MailcowAutomatically generated in UIAutomatically generated (RSA/Ed25519)Automatically suggested in UISPF · DKIM · DMARC
Microsoft 365Manual (include:spf.protection.outlook.com)Generate 2 CNAME records in DefenderTXT record after CNAME publishingSPF · DKIM · DMARC
NetcupWizard / Manual in CCPGenerate key in CCP email settingsTXT record in CCP DNS editorSPF · DKIM · DMARC
StratoToggle in DNS menu / templateAutomatic or 1-click activationTXT record under domain managementSPF · DKIM · DMARC
united-domainsTXT wizard / DNS entryCreate key in email sectionTXT record in domain portfolioSPF · DKIM · DMARC
CloudflareManual TXT (DNS only proxy setting)Manual CNAME/TXT publishingManual TXT record in DNS dashboardSPF · DKIM · DMARC
Amazon Route 53Manual TXT in Hosted ZoneManual CNAME/TXT entryManual TXT record in Route 53SPF · DKIM · DMARC
GandiStandard SPF template / LiveDNSGenerate DKIM key in email tabAdd TXT record in LiveDNSSPF · DKIM · DMARC
OVHcloudWizard (MX Plan / Email Pro)Automatic or 1-click in customer controlAdd TXT record in DNS zoneSPF · DKIM · DMARC
GoDaddyWizard / Manual in DNS ManagerCNAME/TXT (depending on M365/cPanel plan)TXT record in DNS managementSPF · DKIM · DMARC
o2switchTemplate / cPanel Zone Editor1-click via cPanel (Email Deliverability)Add TXT record via cPanelProvider overview
LWSTemplate in LWS panel1-click activation in LWS email areaTXT record in LWS DNS managerProvider overview
InfomaniakPre-activated / Infomaniak Manager1-click toggle under email securityAdd TXT record in DNS zoneProvider overview
DonDominioTXT wizard / Control PanelGenerate key under Mail ManagementAdd TXT record in DNS ZoneProvider overview
DinahostingWizard in Control Panel1-click under Email SecurityAdd TXT record in DNS editorProvider overview
cdmonWizard in Control PanelGeneration under Mail sectionAdd TXT record in cdmon DNSProvider overview
Raiola NetworkscPanel Zone Editor / template1-click via cPanel Email DeliverabilityAdd TXT record via cPanelProvider overview
HostingerTemplate / hPanel DNS zone1-click under Email Accounts in hPanelAdd TXT record in hPanelSPF · DKIM · DMARC
webgoTXT template / Customer Portal1-click under Email SettingsAdd TXT record in DNS editorSPF · DKIM · DMARC

Detailed architecture analysis by provider category

1. Shared hosting providers

For hosts that bundle both domain DNS and mailbox hosting (IONOS, Strato, Netcup, All-Inkl, domainfactory, united-domains, checkdomain, Hostinger, webgo, o2switch, LWS, Infomaniak, DonDominio, Dinahosting, cdmon, Raiola Networks), authentication setup is designed for maximum convenience:

  • SPF automation: At IONOS, SPF is pre-activated by default for all domains with active mailboxes. Strato and All-Inkl provide intuitive wizards or switches in the control panel that insert the required sending IPs automatically (include:...).
  • DKIM activation paths: On cPanel-driven platforms (such as o2switch or Raiola Networks), navigating to “Email Deliverability” allows you to generate a 2048 bit DKIM key and publish it directly to the DNS zone in one click. At Netcup, All-Inkl, or Infomaniak, you generate keys directly within the respective email settings console.
  • DMARC integration: Because DMARC enforces strict alignment between SPF and DKIM (Alignment), this policy record is always added as a TXT record (_dmarc.yourdomain.com) manually or via wizard once SPF and DKIM are active.

2. Pure DNS specialists

When your domain is managed by a pure DNS platform (Hetzner DNS, Cloudflare, Amazon Route 53) while your mailboxes are hosted elsewhere, you have total control but must execute every step manually:

  • No automated templates: Because the DNS host does not know where your mailboxes reside, you must manually create the exact SPF TXT string provided by your external email host.
  • DKIM record publishing: You generate the DKIM keys or CNAME selectors inside your email provider’s console and copy them into the Hetzner, Cloudflare (ensuring the proxy toggle is set to “DNS only”), or Route 53 DNS dashboard.

3. Cloud email suites: Microsoft 365 and Google Workspace

The two leading enterprise cloud suites require coordinated configuration across two distinct interfaces:

  • Microsoft 365: You insert the standard SPF mechanism (include:spf.protection.outlook.com) into your domain DNS zone. For DKIM, you create exactly two CNAME records (selector1 and selector2) inside the Microsoft 365 Defender portal, publish them in your DNS, and then click to activate signing in Microsoft Defender.
  • Google Workspace: You publish include:_spf.google.com for SPF. For DKIM, you generate a TXT key (google._domainkey) inside the Google Admin Console. Once the TXT record propagates in DNS, you activate signing inside the Admin Console.

4. Self-hosted mail servers: Mailcow

If you run Mailcow, you experience the highest level of automation for administrators: Mailcow calculates and displays exactly how your SPF, DKIM, DMARC, as well as DANE and MTA-STS records should look right in its UI. You simply copy those exact values into your authoritative DNS zone.

Verify your configuration with MXAudit

After making any updates to your DNS records or control panels, always verify your authentication setup using the free MXAudit scanner. The scanner runs a real-time inspection of your DNS zone, checks whether your SPF syntax is valid, verifies that your public DKIM key is reachable, and confirms that your DMARC policy is properly deployed without syntax errors or misalignments.

Further reading