GMX, WEB.DE and mail.com start fully enforcing DMARC for 42 million mailboxes

The company behind popular mail providers GMX, WEB.DE and mail.com has announced that it will soon start to fully enforce DMARC policies on inbound email.

The announcement was made by Nikolas Bauer, Senior Mail Security Engineer at 1&1 Mail & Media, on 5 May 2026 on the mailop mailing list, saying:

We would like to inform you that we will shortly enable the full enforcement of DMARC policies with p=reject across our entire email infrastructure (for our brands GMX.NET, WEB.DE, and mail.com).

Once activated, incoming messages that fail DMARC validation and whose sending domain publishes a DMARC policy of p=reject will be rejected at the MTA/SMTP level, in accordance with the policy explicitly defined by the domain owner.

This measure strengthens protection against spoofing, phishing, and brand abuse and aligns our approach with current industry best practices and the enforcement behaviour of major international mailbox providers.

This news is significant as GMX, WEB.DE and mail.com serve around 42 million active users, according to the 1&1 Mail & Media website. In particular, 1&1 says that:

• GMX is the leading email provider in Germany, Austria and Switzerland with over 20 million users.
• WEB.DE has 17 million users in Germany.
• mail.com targets the US market and accounts for the remaining 5 million users.

What’s changing in practice

In practice, if you publish a DMARC policy of p=reject for your domain, GMX/WEB.DE/mail.com will now reject email messages from that domain if they fail authentication and/or lack DMARC alignment.

Previously, these messages were treated as if the policy was p=quarantine and therefore classified as spam instead of being rejected.

As mentioned in the postmaster help pages, failing messages will be rejected at the SMTP session level with the following error message: 554 Transaction failed Reject due to domain's DMARC policy.

Rollout details

1&1 mentions that their email systems are being gradually updated in a phased rollout:

The phased rollout is expected to begin in the coming weeks.

At the tiem of writing, this is the latest update from the postmaster help page:

We are currently in the process of gradually updating our systems so that emails that fail DMARC validation and have a policy of p=reject will be rejected in the future rather than simply being classified as spam. This change ensures that we comply with the domain owner’s published policy. (May 2026)

What you should do

If you send emails to recipients using GMX, WEB.DE or mail.com, you should make sure that all your email flows are correctly authenticated and aligned, especially if you publish a DMARC policy of p=reject.

As the announcement notes, 1&1 has been sending DMARC aggregate reports (rua) “for an extended period of time”. This makes it much easier to identify email flows that are not correctly authenticated for DMARC purposes.

At DMARCwise, we help you gain visibility into your email flows and fix misconfigurations, with a comprehensive email monitoring suite that includes DMARC monitoring through aggregated DMARC reports. Give it a try for free!