Category: E-Mail

As an IT service provider, I wanted to see for myself: running my own mail server – fully under my control, without depending on external providers.
For this, I use Mailcow, an open-source mail server suite running on a dedicated VPS at Hetzner. Everything is secured, regularly patched, and equipped with anti-spam mechanisms.
So far, so good – or so I thought.

What Actually Happens When an Email Is Sent?

When you send an email, several technical steps happen in the background:

1. Connection Between Servers
   Your mail server accepts the message and connects to the target mail server – for example, Microsoft, Yahoo, GMX, Web.de, or Telekom.
2. Identity and Security Checks
   Before the email is accepted, the receiving server checks:
   • Reverse DNS – Does the IP address match the hostname?
   • SPF, DKIM, DMARC – Do the authentication records match?
   • Reputation – Is the sending server known as trustworthy or as a spam source?
3. Acceptance or Rejection
   If the server fails these checks, the result is ❌ “554 – Bad reputation” or a similar error message.

My Problem with Telekom

While Google, GMX, Web.de, and Yahoo accepted my emails without complaint, Telekom blocked everything coming from my server.
The reason: my IP address had been “inactive for a long time” and therefore had no reputation. For security reasons, Telekom does not accept such senders until they are reviewed – a protection mechanism for their customers.

In practice, this meant that even perfectly configured emails with all standards in place were rejected until I contacted Telekom directly.

✅ The Path to Getting Whitelisted

After a friendly but very technical exchange with Telekom’s Email Engineering team, the following requirements became clear:

• The hostname of my server had to clearly identify me as the operator.
• A publicly accessible contact option (phone number, legal notice) had to be linked directly to the sending domain.
• The server could not be a shared host – only I am allowed to send emails from this IP.
• Abuse protection (rate limits, account blocking for spam) had to be active.

I adjusted the configuration, redirected my domain cmdsrv.de directly to my legal notice page, and confirmed all required points.
Shortly afterward, I received confirmation from Telekom that my IP reputation would be reset:

“We will arrange for the reputation of this IP number to be reset in our systems. (Please note that depending on system load, it may take up to 24 hours for the change to take effect, but experience shows that this is usually done within one to two hours.)”

DMARC Reports – A Must for Admins

In addition to SPF, DKIM, and a clean reputation, as a mail server operator you should regularly evaluate DMARC reports.
These reports are automatically sent by many providers if you create a Postmaster address and set the appropriate DMARC entry in your DNS records.

Example of a valid DMARC DNS record:

v=DMARC1; p=quarantine; rua=mailto:postmaster@DOMAINNAME.de

Important:

• postmaster@DOMAINNAME.de must be a functional email address that you check regularly.
• These reports show you from which IP addresses emails were sent in the name of your domain and whether they passed SPF/DKIM checks.
• This way, you can detect abuse and configuration errors early.

Useful Links for Testing Mail Server Reputation & Configuration

• Google Postmaster Tools – https://postmaster.google.com/
• Microsoft SNDS & Smart Network Data – https://sendersupport.olc.protection.outlook.com/snds/
• Telekom Postmaster FAQ & Contact – https://postmaster.t-online.de
• GMX / Web.de Postmaster – https://postmaster.gmx.net/de/
• MailTester (Check SPF/DKIM/DMARC) – https://www.mail-tester.com/
• MultiRBL Blacklist Check – https://multirbl.valli.org/
• MXToolbox Mail Server Analysis – https://mxtoolbox.com/

Tip: Run these tests before going live – this will help you avoid surprises with strict providers like Telekom.

☎️ Telekom Postmaster Contact

If your emails are blocked by Telekom, you can reach the Email Engineering team here:

Deutsche Telekom AG
E-Mail Engineering
Deutsche-Telekom-Allee 9
64295 Darmstadt
E-Mail: tobr@rx.t-online.de
Postmaster FAQ: https://postmaster.t-online.de

✅ Mail Server Operator Checklist

Security & Authentication

• SPF record correctly set
• DKIM signature active and valid
• DMARC policy set (and reports reviewed)
• Functional postmaster@ address created

DNS & Accessibility

• Reverse DNS (PTR) points to the correct hostname
• A and MX records are correct and point to the server
• Website legal notice/contact page linked with sending domain

Reputation & Testing

• IP address not on blacklists
• Passed tests with Google, Microsoft, Telekom, GMX/Web.de
• Mail test score at least 9/10

Operation & Monitoring

• Spam and virus protection active
• Rate limits for outgoing mail
• Log monitoring & alerts for unusual activity
• Regular backups of mail server configuration and mailboxes

Networking with Other IT Administrators
If you need support or want to exchange ideas with other admins facing similar problems, you’re welcome to join my Matrix Support Groups.
Here I’m happy to help with questions about mail servers, networking, and IT security:
https://it-service-commander.de/en/support-3/groups/