De-Mail: Delivery Fiction with Pitfalls
By late 2026, the final legal step will be taken to withdraw De-Mail, a 2012 service. The system failed against reality.
(Image: Pavel Ignatov/Shutterstock.com)
The De-Mail Act will be repealed. By the end of 2026, the last remaining, but legally significant, step will be taken to withdraw De-Mail from circulation, a service launched in 2012. The email system, binding for both authorities and citizens, died in 2023 when the last De-Mail provider ceased operations. The bold dream of advertisers and logo designers that the circled e of De-Mail would replace the @ of email had long since shattered against the hard reality of the internet. It wasn't a lack of user-friendliness, but the delivery fiction that dug an early grave for De-Mail.
What De-Mail was and how it worked can best be read from the authority that conceived De-Mail and controlled the mail providers, following the withdrawal now decided by the Bundestag. The Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik) has not yet shut down its information page about a simple electronic mail system that authenticates sender and recipient, sends encrypted messages, and makes this process verifiable from sending to receipt. It's great that such a thing exists, one might say, when Deutsche Post only occasionally throws letters in the mailbox. Since 2025, the delivery fiction has been changed: as of this year, administrative acts sent by mail from authorities are considered announced four days after dispatch. This sounds trivial, but it is of utmost importance for compliance with objection and payment obligations.
De-Mail: Delivery Fiction with Pitfalls
De-Mail failed precisely at this point during the conception phase. The electronic delivery fiction was designed by the De-Mail Act such that a legally binding official email should be considered delivered when it is sent by the authority to an authenticated recipient. Regardless of when the recipient opens their mailbox and reads or opens the email. The programmatically simple feedback, the return receipt known from postal mail, was discarded to relieve authorities. Instead, there was only an obligation for De-Mail providers to report an incoming De-Mail to their customers' normal mailboxes, also without storing a timestamp. Citizens using De-Mail were clearly disadvantaged.
Videos by heise
In addition to this cardinal error, another mistake by those responsible crept into the conception of De-Mail. When it comes to official business and communication between citizens and authorities, why not further relieve the authorities and open and scan De-Mails for viruses? That this happens “shortly” and not at the authority itself, but at a BSI-certified provider, should reassure De-Mail citizens. No snooping, just trust us, was the bold assumption. And because trust is written with a capital T, there was no encryption option at the start of De-Mail. It was only retrofitted in 2015, when the lack of acceptance of De-Mail became clearly apparent. By then, critics like the Chaos Computer Club had long since passed a devastating verdict on the De-Mail system, and the revelations of Edward Snowden had increased distrust in dealing with state institutions.
The launch of De-Mail at IFA 2012 in Berlin was nicely staged. Telekom had set up a bright desk around which a light shimmered when an applicant presented the ID required for registration. The fact that all first names of the ID holders were combined into long De-Mail addresses did not bother anyone. It was more bothersome that, alongside the later certified De-Mail providers 1&1 (United Internet) and Mentana-Claimsoft, Deutsche Post presented an almost identical offer with its E-Brief at CeBIT 2013, which actually met all the requirements of De-Mail, but used PostIdent for registration, a procedure not approved by the BSI. PostIdent still exists today, e.g., for setting up the electronic patient record, while E-Brief and E-Safe were mothballed in 2022. In the same year, Telekom showed the few journalists interested in the topic the data center where the De-Mail servers worked in their own high-security area. The report “from the cage” caused annoyance because Heise readers promptly named the secret location where almost all of Germany's De-Mail was processed.
Although De-Mail was extended with PGP encryption in 2015 and the German Pension Insurance (Deutsche Rentenversicherung) began to use De-Mail as the largest authority, the number of citizens continued to grow only hesitantly. The e-Government Act, which obliged all authorities to offer at least one De-Mail mailbox by the deadline of March 24, 2016, did not change this. Finally, in 2018, even the courts were forced to saddle the dead horse. Incidentally, this term for De-Mail was coined by Telekom CEO Tim Höttges in early 2021, before Telekom, as by far the largest De-Mail provider, with T-Systems on the authority side and @t-online.de-mail.de on the citizen side, cleared out the stables. Mentana-Claimsoft, a subsidiary of Francotyp-Postalia, which had already developed the electronic official mailbox (beBPo), benefited from this in the short term. But in 2023, it too withdrew as the last provider of De-Mails. Anyone who calls up the corresponding offer page today receives the message that the De-Mail offer will be discontinued on December 31 – new registrations are no longer possible.
(nen)
