The De-Mail law will be repealed. At the end of 2026, the last remaining but legally important step will be taken to withdraw De-Mail, which was launched in 2012, from circulation. The mail system, which was binding for authorities and citizens, died in 2023 when the last De-Mail provider gave up. The bold dream of advertisers and logo designers that the curled e of De-Mail would replace the @ of e-mail had long since shattered over a cliff in the harsh reality of the Internet. It was not the lack of user-friendliness but the delivery fiction that dug an early grave for De-Mail.
Read more after the ad
What De-Mail was and how it worked can best be found out after the decision to end it in the Bundestag is from the authority that designed De-Mail and controlled the mail providers. The Federal Office for Information Security has not yet switched off its information page about a simple electronic mail system that authenticates both sender and recipient, sends messages in encrypted form and makes this process verifiable from sending to receiving. It’s great that something like this exists when Deutsche Post only occasionally throws letters into the box, one might say. As is well known, the delivery fiction has been changed since 2025: Since this year, administrative acts sent by the authorities by post are only considered announced four days after they are sent. It sounds banal, but it is of utmost importance for compliance with objection and payment obligations.
De-Mail: Delivery fiction with pitfalls
It was precisely at this point that De-Mail failed in the conception phase. The electronic delivery fiction was designed by the De-Mail Act in such a way that a legally binding authority email should be considered delivered when it is sent by the authority to an authenticated recipient, regardless of when the recipient opens their mailbox and reads or opens the email. The simple programming response, the return receipt familiar from postal mail, was discarded in order to relieve the burden on the authorities. Instead, there was only an obligation for De-Mail providers to report an incoming De-Mail to their customers’ normal mailboxes, even without saving a timestamp. Citizens using De-Mail were clearly disadvantaged.
In addition to this cardinal error, another error by those responsible crept into the design of De-Mail. When it comes to official business and communication between citizens and authorities, why not further relieve the burden on the authorities and open the De-Mail and scan it for viruses? The fact that this is happening “for a short time” and not at the authority but at a BSI-certified provider should reassure De-Mail citizens. There’s no snooping, just trust us, that’s the bold assumption. And because trust is written with a capital V, there was no option for encryption when De-Mail was launched. It was only installed later in 2015, when the lack of acceptance of De-Mail became clear. Critics like the Chaos Computer Club had long since passed a devastating verdict on the De-Mail system, and Edward Snowden’s revelations had increased mistrust in dealing with state institutions.
What’s missing: In the rapidly changing world of technology, there is often time to re-sort all the news and background information. At the weekend we want to take it, follow the side paths away from the current events, try out other perspectives and make nuances audible.
The launch of De-Mail at the IFA 2012 in Berlin was beautifully staged. Telekom had set up a bright desk around which a light shone when an applicant presented the ID required for registration. The fact that all of the ID card holders’ first names were combined into long De-Mail addresses didn’t bother anyone. What was more annoying was that, in addition to the later certified De-Mail providers 1&1 (United Internet) and Mentana-Claimsoft, Deutsche Post presented an almost identical offer at CeBIT 2013 with its E-Brief, which actually met all of the requirements of De-Mail, but used a registration process with PostIdent that was not approved by the BSI. PostIdent still exists today, for example for setting up electronic patient records, while E-Brief and E-Safe were mothballed in 2022. In the same year, Telekom showed the few journalists interested in the topic the data center in which the De-Mail servers worked in their own high-security wing. The report “out of the cage” caused anger because Heise readers promptly named the secret location where almost all of the Republic’s De-Mail was processed.
Read more after the ad
Although De-Mail was expanded to include PGP encryption in 2015 and the German Pension Insurance, as the largest authority, began using De-Mail, the number of citizens continued to grow only hesitantly. The e-Government Act, which required all authorities to offer at least one De-Mail mailbox by the deadline of March 24, 2016, did not change this. Finally, in 2018, the courts were also ordered to saddle the dead horse. Incidentally, Telekom boss Tim Höttges came up with this name for De-Mail at the beginning of 2021 before Telekom, as by far the largest De-Mail provider, cleared out the stables with T-Systems on the authorities’ and citizens’ sides with the address @t-online.de-mail.de. Mentana-Claimsoft, the subsidiary of Francotyp-Postalia, which had already developed the electronic government mailbox (beBPo), was able to benefit from this in the short term. But in 2023 it was the last provider to withdraw from De-Mails. Anyone who accesses the corresponding offer page today will receive the message that the De-Mail offer will be discontinued on December 31st – new registrations are no longer possible.
(nen)
