DNSSEC is in a whole different league. But I'd be very skeptical of putting a one-liner from a generator into my DNS without understanding, at least at a basic level, _what_ it was doing. Understanding that also means you can do some manual verification - take a look at email headers to see how mail servers are responding to your configuration, etc. etc.
As for configuring a mail server, yes, that's definitely way harder. But these days, most companies outsource that to the likes of Google or Microsoft, until they get large enough to justify administering their own. There's exceptions to every rule, etc. etc., but every company I've worked at has either used G Suite or Office 365.
The result being: many companies have email services running, but don't have anybody whose day-to-day is understanding how it works and how it's secured.
> But I'd be very skeptical of putting a one-liner from a generator into my DNS without understanding, at least at a basic level, _what_ it was doing
You're completely right, of course. In my experience, these generators usually explain what the generated code means, though. These records are a lot easier to read than they are to write if all you've got is a manual and a technical specification.
I haven't used any hosted mailing services myself, but I can't imagine their control panels don't have either an option to generate the necessarily policies for you or an extensive guide on how you should configure these records and why. These records are the only part of the mail ecosystem these hosted platforms can't manage (unless you also let them do DNS) so they're a crucial step of the onboarding process.
For SPF and DKIM, yes, you're right - most hosted services will generate those DNS records for you, and validate that they're set correctly in your DNS. But in my experience, they often don't mention DMARC at all, present DKIM as a "hey just do this don't worry about it" (which, given that it's cryptography... yeah, I don't necessarily disagree with that approach, don't scare people off), and often don't provide good SPF practices (~all vs. ?all vs. -all).
On generators, a lot of them left me in an uncanny valley. They were supposed to make everything easier, but didn't explain the basic concepts, so I didn't know the values to even put into the generator. After I nailed down some of the basics, the generators just started making sense.
YMMV. There's an infinite combination of mail hosts/servers, DNS providers, and record generators. Collating all that information the first time can be overwhelming, if DNS or email aren't an area of expertise, but I'm sure there's a low-friction path out there. A Northwest Passage of email security. I'd love to find it.
I didn't realise that ProtonMail had DMARC built in. I'm kind of surprised more email providers aren't including DMARC report analysis out-of-the-box, to be honest.
If Google Workspace/G Suite started pushing admins to use DMARC, and provided tools to make it easy, so many more domains would be protected, particularly in startup world.
