Defaults.Exposed › Reports
Which Email Provider Gives Its Customers the Strongest SPF Defaults? (2026)
Published 2026-07-03
Figures as of 2026-06-29 · methodology v7. Aggregate census across 261 million graded domains. We count the exact
include:/redirect=targets in published SPF records — public DNS, aggregated per provider; never an individual business’s record. See how we grade.
Every SPF record names the services allowed to send for a domain — so 139 million SPF records are also a census of provider defaults, and the defaults differ wildly: 85.0% of domains including Microsoft 365 end their SPF with strict -all, against 8.0% of domains including Google Workspace. The second finding matters more: on the measure that actually stops spoofing — an enforcing DMARC policy behind the record — no major mailbox provider’s customer base gets past 30% finished.
The league: strict endings and finished protection, by provider
Domains whose SPF includes each provider; the share ending strict (-all); and the share with enforcing DMARC — the combination that stops forgeries:
| Provider (include target) | Domains authorising | % strict -all | % with enforcing DMARC |
|---|---|---|---|
Google Workspace (_spf.google.com) | 12,145,313 | 8.0% | 18.5% |
Microsoft 365 (spf.protection.outlook.com) | 10,205,070 | 85.0% | 21.7% |
Namecheap forwarding (spf.efwd.registrar-servers.com) | 7,355,985 | <0.1% | 0.2% |
GoDaddy (secureserver.net) | 7,061,426 | 86.0% | 29.3% |
Hostinger (_spf.mail.hostinger.com) | 4,476,640 | 0.2% | 1.0% |
IONOS EU (_spf-eu.ionos.com) | 4,346,526 | 0.3% | 1.0% |
HostGator (websitewelcome.com) | 3,102,616 | 0.6% | 1.6% |
OVH (mx.ovh.com) | 2,132,049 | 43.7% | 2.2% |
Cloudflare Email Routing (_spf.mx.cloudflare.net) | 2,007,483 | 2.9% | 10.0% |
MailChannels (relay.mailchannels.net) | 1,870,177 | 28.4% | 10.0% |
Mailgun (mailgun.org) | 1,306,692 | 7.2% | 35.9% |
SendGrid (sendgrid.net) | 740,321 | 19.0% | 18.0% |
Zoho Mail (zohomail.com) | 662,546 | 7.3% | 9.9% |
Amazon SES (amazonses.com) | 551,446 | 28.3% | 41.9% |
Stackmail / 20i (spf.stackmail.com) | 519,246 | 98.2% | 3.3% |
How to read this table — honestly
Four things this data is and isn’t:
- Rows are include-populations, not customers. A domain including both Google and Mailgun appears in both rows.
- The strict column photographs each provider’s setup template plus its customer mix. Microsoft’s onboarding emits
-all; Google’s documentation recommends~all; hosting panels auto-provision records on domains that may send no mail at all — which can inflate a strict share without any human deciding anything. - A low strict share isn’t automatically wrong. Namecheap’s row is an email-forwarding product — and forwarding is exactly the case where
-allmisfires, so a soft template there is arguably correct configuration. The exposure in that row is the other column: 0.2% enforced. - The enforcement column is the real ranking. Strict-vs-soft is a style choice once DMARC enforces; without enforcement, neither ending stops a forgery at most receivers.
Three stories in the columns
- Defaults are destiny. Customers overwhelmingly keep whatever the wizard gave them — 92% of Google-including domains keep a non-strict ending, overwhelmingly the
~allGoogle’s guide recommends; 98.2% of Stackmail domains keep the-allits panel writes. Almost nobody re-decides a qualifier later. This is the founding observation of this whole census, written 139 million times. - The finish line is crossed by users, not templates. The enforcement leaders are the developer-centric senders — Amazon SES (41.9%) and Mailgun (35.9%) — whose customers skew towards teams that complete the job. The big mailbox providers’ bases sit between 18.5% and 29.3% enforced regardless of how strict their SPF template was.
- The exposed mass is the hosting-and-forwarding tier. Namecheap forwarding, Hostinger, IONOS and HostGator together cover more than 19 million domains at 2% enforced or less — small-business names running whatever the panel installed, softly fenced and unenforced.
What to do with your own domain
- See which providers your SPF actually includes —
dig TXT yourdomain.com, or check free. - Don’t cargo-cult a strict ending: map your senders, then either tighten to
-allor keep~alland put DMARCp=rejectbehind it. - Whatever your provider handed you is a template you inherited — and a free DNS edit to change.
Frequently asked questions
Which email provider has the most secure SPF default?
By strict template: Stackmail / 20i (98.2% of domains end -all), GoDaddy (86.0%) and Microsoft 365 (85.0%). By finished protection — enforcing DMARC behind SPF — Amazon SES customers lead at 41.9%. The two measures reward a strict template and a completing customer base respectively.
Does using Google Workspace mean my SPF is weak?
Not inherently. Google’s recommended ~all is sound practice when paired with an enforcing DMARC policy — but only 18.5% of Google-including domains have that pairing as of 2026-06-29. The weakness isn’t the softfail; it’s stopping there.
Do these numbers judge the providers’ own security? No. They measure the published SPF posture of customer domains that include each provider — aggregated public DNS, shaped by setup templates, documentation and customer mix. No individual domain is identified or graded publicly.
Why does my provider’s template decide my security? Because it’s copied once, on day one, and our census shows it’s almost never re-decided. Defaults persist — which is exactly why checking yours is worth 30 seconds.
Check what your domain inherited
Whatever the setup wizard wrote is still sitting in your DNS. Reading it — and finishing it — is free.
Check your domain → · Fix SPF → · ~all vs -all → · SPF without DMARC → · Email hosting market share → · Aggregate data only. Data stored and processed in the EU.