Hosting providers across Europe bundle email with new domains for a hard commercial reason: a working inbox is one of the strongest tools they have for keeping a customer past the first year. A new audit shows how routinely they undercut that goal. ShareShift Intelligence’s “State of Email 2026,” subtitled The Forgotten Anchor, scanned 56.3 million domains across 19 European markets, with telemetry dated June 4, 2026. Three in four of those domains, 42.6 million, run an active mailbox. But one in four of those mailboxes, around 11 million, has no SPF record.
SPF, short for Sender Policy Framework, is a small DNS record that lists which servers are allowed to send mail for a domain. Without it, the domain’s outgoing mail is harder to authenticate and far more likely to be filtered into spam folders. In other words, the inbox a provider bundled in to build loyalty quietly stops delivering, and the retention it was meant to secure leaks away.
Bundled Mail Is a Retention Lever
The reason providers attach mail so widely is commercial, not technical. The report points to Verisign data for a finding it calls foundational: activating a mailbox on a domain causes first-year customer retention to spike. Verisign’s own 2026 figures bear that out, with a .com domain attached to a web presence or email renewing about 9% higher than an idle one, which is why the registry has begun rewarding registrars for the registrations most likely to renew. In a market where introductory domain discounts distort real growth, a working inbox is what keeps a customer paying in year two. The average email activation rate across Europe is 76%, and 95% of new mailboxes are switched on as part of a bundle immediately after a domain is registered.
Source: ShareShift.io
The window to capture that is narrow. If a customer does not configure an inbox within the first week of registering a domain, they almost never do, with the gain between day 7 and day 90 averaging just 2%. Providers respond with distinct playbooks: bundlers like All-Inkl and IONOS switch mail on by default, up-sellers like Namecheap and Hostinger push it after purchase, and GoDaddy resells Microsoft 365 rather than hosting mail itself.
Attaching Is Not Protecting
Bundling mail is only half the job, and the audit put a number on how often hosts skip the other half. Alongside the 11 million unprotected mailboxes, a further 400,000 are misconfigured, and in some country codes the problem is endemic, affecting 7% of .es and 5% of .cz domains. The audit looked only at SPF, not at the fuller stack of DKIM and DMARC, so it marks a floor for the problem rather than its ceiling.
Strato’s Cautionary Tale
The report singles out one provider to show how far the gap can stretch. Strato attaches mail to roughly 94% of new domains but configures SPF on only 6% of them. By the report’s math, that leaves Strato provisioning around 580 unauthenticated mail domains every day. As major mailbox networks enforce stricter delivery rules, those unauthenticated mailboxes increasingly land in spam folders, which the report describes as a ticking support bomb for the host that created them. Strato’s own support pages bear the pattern out: SPF is not applied by default, and customers are told to add the record themselves to keep their outgoing mail out of spam. Aruba.it, Italy’s largest player, sits in the same category, attaching mail widely while leaving most of it without SPF.
The Hosts That Bundle and Protect
The gap is a choice, not a technical limit, because plenty of providers do both. The report names All-Inkl, O2Switch and Websupport as secure by default, creating mailboxes with correct SPF records automatically. IONOS, which alone powers one in ten European mailboxes, attaches mail to most new domains and configures SPF on nearly all of them, as do OVH and others in the high-attach, high-protection group. GoDaddy sits at the opposite corner: by declining to bundle mail at registration, it activates email on a much smaller share of its domains and leaves the retention prize on the table, but the mailboxes it does run are largely authenticated. The failure mode the report highlights is narrower than the headline gap: providers that bundle aggressively and protect carelessly.
The contrast is clearest side by side, across a sample of the report’s Top 30 providers.
| Provider | Email attach | SPF |
|---|---|---|
| All-Inkl | 100% | 99.1% |
| O2Switch | 100% | 98.1% |
| IONOS | 99% | 96.5% |
| OVH | 97% | 95.1% |
| Strato | 94% | 6% |
| Aruba.it | 100% | 17.7% |
| GoDaddy | 25% | 83.9% |
When the Retention Play Backfires
The sharp edge of the report is that the two halves are connected. A host bundles mail to lift retention, then skips the SPF record that keeps that mail deliverable, and the customer ends up with an inbox whose outgoing messages quietly fail. Deliverability problems generate support tickets, erode trust, and feed the churn the bundle was meant to prevent. The report notes that the remedy is trivial for the host. An SPF record is among the cheapest retention investments a provider can make, and one in four European mailboxes still ships without one.
