Last updated: July 2026

In short: Transport layer security protects your email from downgrade and man-in-the-middle attacks. While almost all 25 providers in our matrix support basic SPF, DKIM, and DMARC, inbound DANE is only supported by 3 providers (Mailcow, Microsoft 365, Infomaniak) and managed MTA-STS by only 3 providers (Google Workspace, Mailcow, Microsoft 365). Below is the complete comparison table across all 25 providers with exact technical reasons.

While SPF, DKIM, and DMARC ensure that senders cannot be forged and messages arrive intact, DANE and MTA-STS protect the transport layer (SMTP) between participating mail servers. They enforce an encrypted TLS connection and prevent man-in-the-middle (MitM) and downgrade attacks.

Whether you can deploy these modern transport security standards depends directly on your email hosting provider and its underlying technical architecture. Our provider hub reveals that typical shared hosts lack the necessary infrastructure—such as DNSSEC-signed TLSA records on their shared mail servers or an HTTPS certificate for the required policy subdomain.

Complete table: DANE and MTA-STS across all 25 providers

The table below details the exact status of all 25 providers in our technical matrix for inbound DANE (via TLSA records) and managed MTA-STS (via policy hosting and DNS records).

ProviderDANE SupportMTA-STS SupportSetup Guides & Overview
All-InklNo (MX has no TLSA; see overview)No (no managed MTA-STS; see mta-sts-shared-hosting)Provider overview
checkdomainNo (MX has no TLSA; see overview)No (no managed MTA-STS; see mta-sts-shared-hosting)Provider overview
domainfactoryNo (MX has no TLSA; see overview)No (no managed MTA-STS; see mta-sts-shared-hosting)Provider overview
Google WorkspaceNo (no inbound DANE; uses MTA-STS (see overview))Yes (MTA-STS setup)MTA-STS guide
Hetzner DNSNo (only via own MX; see overview)No (no managed MTA-STS; see mta-sts-shared-hosting)Provider overview
IONOSNo (MX has no TLSA; see overview)No (no managed MTA-STS; see mta-sts-shared-hosting)Provider overview
MailcowYes (DANE/DNSSEC setup)Yes (MTA-STS setup)DANE · MTA-STS
Microsoft 365Yes (DANE/DNSSEC setup)Yes (MTA-STS setup)DANE · MTA-STS
NetcupNo (only via own MX; see overview)No (no managed MTA-STS; see mta-sts-shared-hosting)Provider overview
StratoNo (MX has no TLSA; see overview)No (no managed MTA-STS; see mta-sts-shared-hosting)Provider overview
united-domainsNo (MX has no TLSA; see overview)No (no managed MTA-STS; see mta-sts-shared-hosting)Provider overview
CloudflareNo (only via own MX; see overview)No (no managed MTA-STS; see mta-sts-shared-hosting)Provider overview
Amazon Route 53No (only via own MX; see overview)No (no managed MTA-STS; see mta-sts-shared-hosting)Provider overview
GandiNo (MX has no TLSA; see overview)No (no managed MTA-STS; see mta-sts-shared-hosting)Provider overview
OVHcloudNo (MX has no TLSA; see overview)No (no managed MTA-STS; see mta-sts-shared-hosting)Provider overview
GoDaddyNo (MX has no TLSA; see overview)No (no managed MTA-STS; see mta-sts-shared-hosting)Provider overview
o2switchNo (MX has no TLSA; see overview)No (no managed MTA-STS; see mta-sts-shared-hosting)Provider overview
LWSNo (MX has no TLSA; see overview)No (no managed MTA-STS; see mta-sts-shared-hosting)Provider overview
InfomaniakYes (MX has TLSA; see overview)No (no managed MTA-STS; see mta-sts-shared-hosting)DANE overview
DonDominioNo (MX has no TLSA; see overview)No (no managed MTA-STS; see mta-sts-shared-hosting)Provider overview
DinahostingNo (MX has no TLSA; see overview)No (no managed MTA-STS; see mta-sts-shared-hosting)Provider overview
cdmonNo (MX has no TLSA; see overview)No (no managed MTA-STS; see mta-sts-shared-hosting)Provider overview
Raiola NetworksNo (MX has no TLSA; see overview)No (no managed MTA-STS; see mta-sts-shared-hosting)Provider overview
HostingerNo (MX has no TLSA; see overview)No (no managed MTA-STS; see mta-sts-shared-hosting)Provider overview
webgoNo (MX has no TLSA; see overview)No (no managed MTA-STS; see mta-sts-shared-hosting)Provider overview

Technical breakdown and architecture analysis

1. Why most shared hosts cannot offer DANE

For inbound DANE to work, the official mail servers of your hosting provider (e.g., at IONOS, Strato, All-Inkl, or OVHcloud) must be signed with DNSSEC and publish valid TLSA records in DNS that bind their TLS certificates. As explained in our guide DANE for email: who can use it, large shared hosting providers currently do not publish TLSA records for their shared mail exchangers (MX):

  • IONOS, Strato, All-Inkl, checkdomain, domainfactory, united-domains: The official mail servers lack TLSA records (MX has no TLSA; see overview). Deploying DANE for customer domains on these shared MX clusters is technically impossible.
  • Gandi, OVHcloud, GoDaddy, o2switch, LWS, DonDominio, Dinahosting, cdmon, Raiola Networks, Hostinger, webgo: Similarly, these providers do not maintain TLSA records on their default mail servers (MX has no TLSA; see overview).
  • Hetzner DNS, Netcup, Cloudflare, Amazon Route 53: As DNS specialists (or when using only DNS zones without managed mailboxes), these providers provide full DNSSEC and TLSA support in their DNS control panels. However, because they do not operate managed mailboxes for your domain, DANE is only applicable when you operate your own dedicated mail server (only via own MX; see overview).

2. Why Google Workspace and Microsoft 365 take different approaches

The two major cloud email platforms diverge significantly on transport layer security:

  • Microsoft 365 (Exchange Online): Microsoft supports both inbound DANE and MTA-STS. You can enable DANE for your custom domain using DNSSEC and PowerShell commands (DANE/DNSSEC setup at Microsoft 365). At the same time, Microsoft offers full support for managed MTA-STS (MTA-STS at Microsoft 365).
  • Google Workspace: Google does not publish TLSA records for its standard mail exchangers (no inbound DANE; uses MTA-STS (see overview)). Instead, Google relies entirely on MTA-STS as its primary standard for enforcing encrypted transport (MTA-STS setup at Google Workspace).

3. Why managed MTA-STS is impractical on most shared hosts

MTA-STS requires more than just a DNS TXT record; it also requires a policy text file (mta-sts.txt) hosted precisely at the subdomain mta-sts.yourdomain.com over HTTPS with a valid SSL/TLS certificate. As detailed in MTA-STS at shared hosts, this presents a major operational hurdle on standard shared hosting environments (no managed MTA-STS; see mta-sts-shared-hosting):

  • Providers such as IONOS, Strato, All-Inkl, Netcup, OVHcloud, and Hostinger do not provide an automated service to host and maintain this policy subdomain and its certificate.
  • To deploy MTA-STS on these shared platforms, you must manually create a dedicated subdomain, assign web hosting, and maintain the SSL certificate, or rely on third-party policy hosting services.

4. Self-hosted servers: Complete control with Mailcow

When you require maximum transport security and want to run both DANE and MTA-STS concurrently, running your own mail server is the most complete solution.

With Mailcow, you operate your own containerized mail suite. Because you maintain full administrative control over the DNS zone and the TLS certificates on your MX server (mail.yourdomain.com), Mailcow automatically generates the exact TLSA records needed for DANE and serves the full policy for MTA-STS directly from its UI (MTA-STS with Mailcow).

Verify your configuration with MXAudit

No matter which hosting provider or transport standard you select, always verify your domain configuration using the free MXAudit scanner after making DNS updates. The scanner performs an instant analysis of your entire email security stack—checking SPF, DKIM, DMARC, and verifying immediately whether your domain has valid DANE TLSA records and a working MTA-STS policy.

Further reading