Typo3 Email Deliverability: Guide for German Market Websites

Typo3 holds a market position in Germany that is difficult for international observers to appreciate: it powers a significant share of public-sector portals, university sites, mid-market B2B websites, and industrial catalogues across the DACH region. For a German enterprise buyer, Typo3 remains a serious and respected option, and it will continue to be for many years.

Its email stack, however, is often treated as an afterthought. A fresh Typo3 install can send mail out of the box via PHP's mail()function, which is adequate for a developer's localhost and catastrophic in production. This guide covers the configuration that separates compliant, deliverable Typo3 installations from the ones where order confirmations and contact-form notifications quietly vanish into T-Online's spam folder.

Typo3's mail architecture: Symfony Mailer, not PHP mail()

Since Typo3 v10, the platform has integrated Symfony Mailer as its underlying transport layer. This was a substantial improvement over the previous SwiftMailer integration and brought Typo3 in line with Symfony and Laravel in terms of DSN-based transport configuration.

The key configuration lives in LocalConfiguration.php or (preferably) in environment variables. A minimal production setup should look like:

'MAIL' => [
    'transport' => 'smtp',
    'transport_smtp_server' => 'smtp.eu.mailhost.example:587',
    'transport_smtp_encrypt' => 'tls',
    'transport_smtp_username' => 'noreply@example.de',
    'transport_smtp_password' => '%env(SMTP_PASSWORD)%',
    'defaultMailFromAddress' => 'noreply@example.de',
    'defaultMailFromName' => 'Beispiel GmbH',
],

Three aspects deserve emphasis for the German market. First, your SMTP relay should be hosted in the EU for DSGVO (GDPR) reasons — data transfers to US mail providers remain a legal grey zone after Schrems II and the EU-US Data Privacy Framework. Second, the defaultMailFromAddress must match a domain you control and have DKIM-signed. Third, never commit credentials to version control: use environment variables or Typo3's secrets mechanism.

DNS authentication for German mailbox providers

The German consumer inbox is dominated by three providers that behave very differently from Gmail and Outlook: T-Online (Deutsche Telekom), web.de and GMX (both operated by United Internet), and increasingly Microsoft 365 for business recipients. All three are strict about authentication and aggressive about shared-IP reputation.

SPF: include only what you actually use

example.de.   TXT   "v=spf1 include:_spf.eu.mailhost.example include:_spf.sap.example ~all"

A common mistake is accumulating SPF includes over years of tool changes — old Mailchimp, current Brevo, an ancient SAP marketing cloud integration. This can exceed the 10-lookup limit, which causes a PermError and is treated as a hard fail by strict providers.

DKIM: 2048-bit keys, rotated annually

Use a 2048-bit key, publish it at a selector like t3._domainkey.example.de, and rotate it once per year. Many German corporate DNS operations are set up to rotate keys; ask your infrastructure team.

DMARC: start at p=none, advance to p=quarantine

_dmarc.example.de.  TXT  "v=DMARC1; p=none; rua=mailto:dmarc@example.de; ruf=mailto:dmarc-forensic@example.de; fo=1"

For a mid-sized German enterprise, the sensible path is 90 days atp=none with aggregate reporting enabled, then transition top=quarantine; pct=25, ramping to pct=100, and finally to p=reject if your DPO agrees. Tools like dmarcian.com or Postmark's DMARC Digests make the aggregate report analysis tractable.

IP strategy: shared relay vs. dedicated

For transactional Typo3 mail (contact forms, registration confirmations, password resets, order receipts) a reputable shared SMTP relay is appropriate up to perhaps 50,000 messages per month. Above that volume, and especially for any mail that could be considered marketing, a dedicated IP — warmed up over 2–4 weeks — yields better and more predictable placement, particularly at T-Online, which is notably conservative about new IPs.

Several EU-hosted options that play well with German compliance requirements: Mailjet (Paris), Brevo (Paris), Mailgun EU region, and self-hosted Postfix on Hetzner or IONOS infrastructure. Each has its quirks; the decision often comes down to whether your DPO prefers a named-processor contract or self-hosting.

Seed testing with DE mailboxes

Running a seed test before any Typo3 rollout or DNS change is the difference between discovering a deliverability problem in QA and discovering it when the support desk is flooded with "ich habe die E-Mail nicht bekommen" tickets.

Maintain seed mailboxes at: t-online.de, web.de, gmx.de, mail.de, posteo.de, mailbox.org, Microsoft 365 (via a test tenant), Gmail, and Apple iCloud. This covers roughly 85% of real German inbox placement.
Trigger a representative sample of Typo3 mail: order confirmation, contact-form notification, password reset, newsletter issue if applicable.
Check each seed inbox. T-Online in particular tends to delay or silently drop mail from poorly-warmed IPs — give it 10 minutes before concluding the message is missing.
Document placement for each transport path. Keep the log: when DNS changes or a Typo3 update alters header handling, the baseline lets you diagnose quickly.

The inbox-check.online seed test pool includes all major German consumer providers and is free with no account required — useful when you need an answer before a deployment window closes.

Typo3 integration in beta

A native Typo3 integration is in private beta — run placement tests in-platform and get alerts on drops.

→ Join the beta waitlist

Common Typo3-specific pitfalls

Fluid templates with inline styles. Typo3's Fluid templating engine is powerful but can produce bloated HTML with heavy style blocks that trip spam filters. Use inline CSS only where needed and keep the body under 100 KB.
The return-path mismatch. Typo3 sometimes sets a return-path header that does not align with your From address, causing DMARC failures. Verify with a test to check-auth@verifier.port25.com.
Contact-form spoofing risks. If your contact form uses the visitor's email address as the From header, you will fail DMARC and quickly land on blocklists. Always send from your own domain with the visitor's address in Reply-To.
Legacy extensions. Older Typo3 extensions (EXT:*) sometimes bypass the mail API entirely and call mail()directly. Audit your extension list before assuming all mail flows through Symfony Mailer.

FAQ

Does Typo3 support DMARC reporting out of the box?

Typo3 is on the sending side; DMARC reporting is a DNS-level concern. You publish rua= and ruf= addresses in your DMARC record; the reports arrive at those mailboxes from receiving providers. Typo3 itself has no involvement.

Can I run Typo3 mail through Microsoft 365 SMTP?

Technically yes via SMTP AUTH, but Microsoft 365 is designed for human mailboxes, not application SMTP. You will hit throttling limits and Microsoft may revoke the capability. Use a dedicated transactional ESP instead.

Is DSGVO compliance affected by my choice of ESP?

Yes — your ESP becomes an Auftragsverarbeiter (processor). You need an AVV/DPA in place, and if the ESP transfers data outside the EU you need a legal basis. EU-hosted relays simplify the paperwork substantially.

How often should I test my Typo3 transactional mail?

At minimum, before every production deploy that touches mail templates, DNS records, or the Symfony Mailer configuration. Many teams also run a weekly scheduled seed test as a canary.