Last updated: July 2026
In short: The three foundational standards—SPF, DKIM, and DMARC—form the bedrock of modern email authentication. Our technical comparison across all 25 providers shows: while shared hosts often pre-activate SPF or offer simple setup wizards and 1-click DKIM activation, pure DNS specialists require manual entry of every record. Below is the comprehensive comparison table detailing exact activation paths and setup guides across all 25 providers.
Before your email travels across the transport layer (MTA-STS and DANE), receiving mail servers verify whether the message sender is genuine. That authentication relies on three core mechanisms detailed in our guide SPF, DKIM, and DMARC explained:
- SPF (Sender Policy Framework): Specifies via a DNS TXT record which IP addresses and mail servers are authorized to send email on behalf of your domain.
- DKIM (DomainKeys Identified Mail): Cryptographically signs outgoing messages (
1024 or 2048 bit) so recipients can verify that the message content was not altered in transit. - DMARC (Domain-based Message Authentication): Unifies SPF and DKIM and instructs receiving servers via a DNS policy what to do with unauthenticated emails (
none,quarantine, orreject).
How easily you can deploy these standards—whether through automatic pre-activation, guided wizards, or manual DNS configuration—varies widely from one provider to the next.
Complete table: SPF, DKIM, and DMARC setup across all 25 providers
The table below outlines how all 25 providers from our technical matrix handle the configuration of SPF, DKIM, and DMARC, along with direct links to their step-by-step setup guides.
| Provider | SPF Setup | DKIM Activation Path | DMARC Setup | Guides & Setup Paths |
|---|---|---|---|---|
| All-Inkl | TXT wizard / Manual in KAS | 1-click in KAS panel (generate key) | TXT record in KAS DNS console | SPF · DKIM · DMARC |
| checkdomain | TXT wizard in Domain Center | Generate key in mail panel | TXT record in DNS editor | SPF · DKIM · DMARC |
| domainfactory | Template / Manual in DNS editor | 1-click activation in email menu | TXT record in DNS editor | SPF · DKIM · DMARC |
| Google Workspace | Manual (include:_spf.google.com) | Generate key in Admin Console (TXT) | TXT record in DNS after alignment | SPF · DKIM · DMARC |
| Hetzner DNS | Manual TXT (full DNS access) | Manual (publish CNAME/TXT from mail host) | Manual TXT record in CCP console | SPF · DKIM · DMARC |
| IONOS | Pre-activated (or manual TXT) | 1-click toggle under email settings | TXT record in domain management | SPF · DKIM · DMARC |
| Mailcow | Automatically generated in UI | Automatically generated (RSA/Ed25519) | Automatically suggested in UI | SPF · DKIM · DMARC |
| Microsoft 365 | Manual (include:spf.protection.outlook.com) | Generate 2 CNAME records in Defender | TXT record after CNAME publishing | SPF · DKIM · DMARC |
| Netcup | Wizard / Manual in CCP | Generate key in CCP email settings | TXT record in CCP DNS editor | SPF · DKIM · DMARC |
| Strato | Toggle in DNS menu / template | Automatic or 1-click activation | TXT record under domain management | SPF · DKIM · DMARC |
| united-domains | TXT wizard / DNS entry | Create key in email section | TXT record in domain portfolio | SPF · DKIM · DMARC |
| Cloudflare | Manual TXT (DNS only proxy setting) | Manual CNAME/TXT publishing | Manual TXT record in DNS dashboard | SPF · DKIM · DMARC |
| Amazon Route 53 | Manual TXT in Hosted Zone | Manual CNAME/TXT entry | Manual TXT record in Route 53 | SPF · DKIM · DMARC |
| Gandi | Standard SPF template / LiveDNS | Generate DKIM key in email tab | Add TXT record in LiveDNS | SPF · DKIM · DMARC |
| OVHcloud | Wizard (MX Plan / Email Pro) | Automatic or 1-click in customer control | Add TXT record in DNS zone | SPF · DKIM · DMARC |
| GoDaddy | Wizard / Manual in DNS Manager | CNAME/TXT (depending on M365/cPanel plan) | TXT record in DNS management | SPF · DKIM · DMARC |
| o2switch | Template / cPanel Zone Editor | 1-click via cPanel (Email Deliverability) | Add TXT record via cPanel | Provider overview |
| LWS | Template in LWS panel | 1-click activation in LWS email area | TXT record in LWS DNS manager | Provider overview |
| Infomaniak | Pre-activated / Infomaniak Manager | 1-click toggle under email security | Add TXT record in DNS zone | Provider overview |
| DonDominio | TXT wizard / Control Panel | Generate key under Mail Management | Add TXT record in DNS Zone | Provider overview |
| Dinahosting | Wizard in Control Panel | 1-click under Email Security | Add TXT record in DNS editor | Provider overview |
| cdmon | Wizard in Control Panel | Generation under Mail section | Add TXT record in cdmon DNS | Provider overview |
| Raiola Networks | cPanel Zone Editor / template | 1-click via cPanel Email Deliverability | Add TXT record via cPanel | Provider overview |
| Hostinger | Template / hPanel DNS zone | 1-click under Email Accounts in hPanel | Add TXT record in hPanel | SPF · DKIM · DMARC |
| webgo | TXT template / Customer Portal | 1-click under Email Settings | Add TXT record in DNS editor | SPF · DKIM · DMARC |
Detailed architecture analysis by provider category
1. Shared hosting providers
For hosts that bundle both domain DNS and mailbox hosting (IONOS, Strato, Netcup, All-Inkl, domainfactory, united-domains, checkdomain, Hostinger, webgo, o2switch, LWS, Infomaniak, DonDominio, Dinahosting, cdmon, Raiola Networks), authentication setup is designed for maximum convenience:
- SPF automation: At IONOS, SPF is pre-activated by default for all domains with active mailboxes. Strato and All-Inkl provide intuitive wizards or switches in the control panel that insert the required sending IPs automatically (
include:...). - DKIM activation paths: On cPanel-driven platforms (such as o2switch or Raiola Networks), navigating to “Email Deliverability” allows you to generate a
2048 bitDKIM key and publish it directly to the DNS zone in one click. At Netcup, All-Inkl, or Infomaniak, you generate keys directly within the respective email settings console. - DMARC integration: Because DMARC enforces strict alignment between SPF and DKIM (
Alignment), this policy record is always added as a TXT record (_dmarc.yourdomain.com) manually or via wizard once SPF and DKIM are active.
2. Pure DNS specialists
When your domain is managed by a pure DNS platform (Hetzner DNS, Cloudflare, Amazon Route 53) while your mailboxes are hosted elsewhere, you have total control but must execute every step manually:
- No automated templates: Because the DNS host does not know where your mailboxes reside, you must manually create the exact SPF TXT string provided by your external email host.
- DKIM record publishing: You generate the DKIM keys or CNAME selectors inside your email provider’s console and copy them into the Hetzner, Cloudflare (ensuring the proxy toggle is set to “DNS only”), or Route 53 DNS dashboard.
3. Cloud email suites: Microsoft 365 and Google Workspace
The two leading enterprise cloud suites require coordinated configuration across two distinct interfaces:
- Microsoft 365: You insert the standard SPF mechanism (
include:spf.protection.outlook.com) into your domain DNS zone. For DKIM, you create exactly two CNAME records (selector1andselector2) inside the Microsoft 365 Defender portal, publish them in your DNS, and then click to activate signing in Microsoft Defender. - Google Workspace: You publish
include:_spf.google.comfor SPF. For DKIM, you generate a TXT key (google._domainkey) inside the Google Admin Console. Once the TXT record propagates in DNS, you activate signing inside the Admin Console.
4. Self-hosted mail servers: Mailcow
If you run Mailcow, you experience the highest level of automation for administrators: Mailcow calculates and displays exactly how your SPF, DKIM, DMARC, as well as DANE and MTA-STS records should look right in its UI. You simply copy those exact values into your authoritative DNS zone.
Verify your configuration with MXAudit
After making any updates to your DNS records or control panels, always verify your authentication setup using the free MXAudit scanner. The scanner runs a real-time inspection of your DNS zone, checks whether your SPF syntax is valid, verifies that your public DKIM key is reachable, and confirms that your DMARC policy is properly deployed without syntax errors or misalignments.
Further reading
- RFC 7208 — Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1 (retrieved: July 17, 2026)
- RFC 6376 — DomainKeys Identified Mail (DKIM) Signatures (retrieved: July 17, 2026)
- RFC 7489 — Domain-based Message Authentication, Reporting, and Conformance (DMARC) (retrieved: July 17, 2026)
- SPF, DKIM, and DMARC explained — Comprehensive guide to how the three core authentication mechanisms interact
- Email-security setup guides by provider — Overview of all 25 providers and step-by-step setup guides