Defaults.Exposed

Defaults.Exposed › Reports

Which Email Provider Gives Its Customers the Strongest SPF Defaults? (2026)

Published 2026-07-03

Figures as of 2026-06-29 · methodology v7. Aggregate census across 261 million graded domains. We count the exact include:/redirect= targets in published SPF records — public DNS, aggregated per provider; never an individual business’s record. See how we grade.

Every SPF record names the services allowed to send for a domain — so 139 million SPF records are also a census of provider defaults, and the defaults differ wildly: 85.0% of domains including Microsoft 365 end their SPF with strict -all, against 8.0% of domains including Google Workspace. The second finding matters more: on the measure that actually stops spoofing — an enforcing DMARC policy behind the record — no major mailbox provider’s customer base gets past 30% finished.

The league: strict endings and finished protection, by provider

Domains whose SPF includes each provider; the share ending strict (-all); and the share with enforcing DMARC — the combination that stops forgeries:

Provider (include target)Domains authorising% strict -all% with enforcing DMARC
Google Workspace (_spf.google.com)12,145,3138.0%18.5%
Microsoft 365 (spf.protection.outlook.com)10,205,07085.0%21.7%
Namecheap forwarding (spf.efwd.registrar-servers.com)7,355,985<0.1%0.2%
GoDaddy (secureserver.net)7,061,42686.0%29.3%
Hostinger (_spf.mail.hostinger.com)4,476,6400.2%1.0%
IONOS EU (_spf-eu.ionos.com)4,346,5260.3%1.0%
HostGator (websitewelcome.com)3,102,6160.6%1.6%
OVH (mx.ovh.com)2,132,04943.7%2.2%
Cloudflare Email Routing (_spf.mx.cloudflare.net)2,007,4832.9%10.0%
MailChannels (relay.mailchannels.net)1,870,17728.4%10.0%
Mailgun (mailgun.org)1,306,6927.2%35.9%
SendGrid (sendgrid.net)740,32119.0%18.0%
Zoho Mail (zohomail.com)662,5467.3%9.9%
Amazon SES (amazonses.com)551,44628.3%41.9%
Stackmail / 20i (spf.stackmail.com)519,24698.2%3.3%

How to read this table — honestly

Four things this data is and isn’t:

Three stories in the columns

What to do with your own domain

  1. See which providers your SPF actually includes — dig TXT yourdomain.com, or check free.
  2. Don’t cargo-cult a strict ending: map your senders, then either tighten to -all or keep ~all and put DMARC p=reject behind it.
  3. Whatever your provider handed you is a template you inherited — and a free DNS edit to change.

Frequently asked questions

Which email provider has the most secure SPF default? By strict template: Stackmail / 20i (98.2% of domains end -all), GoDaddy (86.0%) and Microsoft 365 (85.0%). By finished protection — enforcing DMARC behind SPF — Amazon SES customers lead at 41.9%. The two measures reward a strict template and a completing customer base respectively.

Does using Google Workspace mean my SPF is weak? Not inherently. Google’s recommended ~all is sound practice when paired with an enforcing DMARC policy — but only 18.5% of Google-including domains have that pairing as of 2026-06-29. The weakness isn’t the softfail; it’s stopping there.

Do these numbers judge the providers’ own security? No. They measure the published SPF posture of customer domains that include each provider — aggregated public DNS, shaped by setup templates, documentation and customer mix. No individual domain is identified or graded publicly.

Why does my provider’s template decide my security? Because it’s copied once, on day one, and our census shows it’s almost never re-decided. Defaults persist — which is exactly why checking yours is worth 30 seconds.

Check what your domain inherited

Whatever the setup wizard wrote is still sitting in your DNS. Reading it — and finishing it — is free.

Check your domain → · Fix SPF → · ~all vs -all · SPF without DMARC → · Email hosting market share → · Aggregate data only. Data stored and processed in the EU.