Yes, you pretty much shouldn't ever use --manual except when testing something.
Ideally, there's a plugin for certbot for your DNS provider. This has certbot use your DNS provider's API to create the TXT record.
If your DNS provider doesn't have an API, or your security policy doesn't want to allow for your server to have DNS API credentials (as depending on the DNS provider, you may only be able to have API credentials with full access to edit the DNS zone rather than just the TXT record), then you probably want to look at a tool like acme-dns or agnos, which act as a special-purpose DNS server just for responding with the right TXT record.