Germany’s three biggest consumer email brands just moved the goalposts for anyone who sends mail from their own domain. On May 6, 2026, deliverability watchers flagged that 1&1 Mail & Media — the company behind GMX, WEB.DE and mail.com — is switching on inbound DMARC enforcement. Mail from a domain that says “reject me if I fail authentication” will now be taken at its word, and bounced at the door.
What’s actually changing
GMX, WEB.DE and mail.com will now honour a sending domain’s DMARC policy. If your domain publishes p=reject and a message claiming to be from you fails both SPF and DKIM checks, the three providers reject it during the SMTP transaction with the error 554 Transaction failed Reject due to domain’s DMARC policy. Previously that mail might have slipped into spam or even the inbox. Now it does not arrive at all. (Source: Spam Resource, May 6, 2026.)
The change is a phased rollout across the weeks following the early-May announcement, not a single switch. It puts the GMX group in line with Gmail and Yahoo, which began enforcing sender rules in February 2024, Microsoft in May 2025, and France’s La Poste in September 2025. Honouring p=reject is the last piece — the inbox provider finally does what the sending domain explicitly asked it to do.
Why it matters for your inbox
If GMX, WEB.DE or mail.com is the address you read mail at, this is a quiet security upgrade: phishing messages that spoof a protected domain — a bank, a delivery service, an employer — get stopped before they reach you. If you send mail from your own custom domain, it is a hard deadline. A p=reject policy with a broken DKIM signature now means your message to a GMX or WEB.DE contact silently turns into a bounce.
GMX is unusually strict about what counts as authenticated. A valid DKIM signature is mandatory, and the DKIM domain has to align with your visible From address in at least relaxed mode. SPF on its own does not cut it — GMX states plainly that “SPF alone is not sufficient.” (Source: GMX Postmaster, accessed May 14, 2026.) So the failure mode here is specific: domains that rushed to p=reject for the security badge but never got DKIM signing working correctly.
What to do this week
Check your domain’s DMARC record. If it says p=reject, confirm that DKIM is signing every message and that the signing domain aligns with your From address — send a test mail to a GMX or WEB.DE address and read the headers. If DKIM is not solid yet, drop your policy to p=none or p=quarantine until it is, rather than leaving p=reject on a broken setup.
For most people who read this site, you send from a normal Gmail, Outlook or GMX mailbox and there is nothing to do — your provider authenticates your mail for you. The people who need to act are anyone running a custom domain: freelancers, small businesses, newsletter writers, anyone who set up you@yourname.com. If your mail to German contacts starts vanishing, this is the first thing to check. And if your own inbox has ever bounced incoming mail, our guide on what to do when Gmail storage is full covers the receiving-side version of the same bounce problem.
The broader signal is clear: in 2026, publishing a strict DMARC policy you cannot actually back up is no longer a harmless overstatement. Mailbox providers are starting to believe you.
Alexis Dollé, email expert for 10+ years. Founder of Email Tools. I test every email client and utility myself, then write about them the way I’d explain them to a friend — no marketing fluff, no sponsored rankings, every claim sourced.
LinkedInFrequently asked questions
What did GMX, WEB.DE and mail.com announce? — inbound DMARC enforcement honouring p=reject
Their parent company, 1&1 Mail & Media GmbH, said it is turning on inbound DMARC enforcement. If a sending domain publishes a DMARC policy of p=reject and a message from that domain fails authentication, GMX, WEB.DE and mail.com will now reject the message during the SMTP transaction instead of delivering it or filing it as spam.
Will this affect the email I send to friends on GMX or WEB.DE? — only if you use your own domain with broken auth
Only if you send from your own domain and that domain publishes DMARC p=reject while your SPF or DKIM is misconfigured. Mail sent from a normal GMX, Gmail or Outlook mailbox is unaffected — those providers authenticate your mail for you.
What is the exact rejection message? — 554 Transaction failed Reject due to domain’s DMARC policy
Failing mail is bounced with the SMTP error ‘554 Transaction failed Reject due to domain’s DMARC policy.’ The bounce goes back to the sender, so you find out your mail did not arrive.
What does GMX require to pass? — a mandatory, aligned DKIM signature
GMX makes a valid DKIM signature mandatory, and the DKIM domain must align with the From address in at least relaxed mode. SPF is recommended but, in GMX’s words, ‘SPF alone is not sufficient.’ DMARC itself is recommended for every domain owner.
Is this a good thing or a bad thing for me? — protective if you receive, a deadline if you send
If you only receive mail at GMX, WEB.DE or mail.com, it is good news — fewer spoofed messages pretending to be your bank will reach you. If you send from your own domain, it is a deadline: fix your authentication now or your mail to those inboxes bounces.
When does enforcement start? — a phased rollout already under way
1&1 described a phased rollout over the weeks following the early-May 2026 announcement rather than a single hard cutover date. Treat it as already happening and check your setup now.