Cold Email Infrastructure for Germany

Germany is the hardest market in the EU for cold email, and it is not close. The Gesetz gegen den unlauteren Wettbewerb (UWG) §7 Abs. 2 Nr. 2, the Act Against Unfair Competition: prohibits electronic marketing messages to consumers or businesses without prior explicit consent. Unlike the UK's PECR, there is no corporate subscriber exemption. Unlike Australia's Spam Act, there is no inferred consent path. A cold email to a German @gmbh.de address is a UWG violation in almost every case.

Enforcement happens in two ways that make Germany unusual. First, German competitors, trade associations, and consumer groups can issue an Abmahnung: a formal cease-and-desist letter backed by the threat of a civil injunction. The Abmahnung industry in Germany is large, well-organized, and routinely targets cold-email senders. A single Abmahnung can carry €500-€5,000 in legal fees plus a cease-and-desist pledge with contractual penalties on repeat.

Second, recipients themselves can sue for an injunction under UWG §8. Courts have consistently awarded injunctions for unsolicited commercial email going back to a 2004 Federal Supreme Court (BGH) decision that treated a single unsolicited B2B marketing email as an unlawful interference with the recipient's business operations.

What is legal in Germany: 1. Express opt-in (double opt-in is the de facto standard) 2. Existing customer exception (§7 Abs. 3 UWG), you sold someone a product, they gave you their email during the transaction, you can send them similar-products marketing with clear opt-out 3. Pre-existing business relationships where the recipient has an expectation of contact

• Cold email to a public info@ address
• Cold email to a named @company.de address scraped from a website, LinkedIn, or any other source
• 'Cold' B2B sales outreach even if highly relevant
• Adding a recipient to a list based on a business card exchanged at a trade show (courts have split on this but the conservative read is 'no')

The honest guidance: German cold email programs should not exist in the traditional sense. Teams that want to reach German buyers should use account-based marketing with manual 1:1 outreach from real people (not bulk tools), LinkedIn messaging via LinkedIn's own systems, or paid advertising. The infrastructure piece of this article exists for senders who are running properly-consented German sequences or who are sending to German recipients as part of a mostly non-German outreach and need to handle German addresses correctly.

A fully cold German outbound program is not legally viable. Budget for account-based outreach through other channels.

The text of UWG §7 Abs. 2 Nr. 2 states (translated): 'An unreasonable nuisance is always to be assumed in the case of advertising through electronic mail without the recipient's prior express consent.' There is no carve-out for B2B. There is no 'conspicuously published' exemption. There is no 'corporate subscriber' distinction.

The reason is historical. German consumer protection and business law have always treated unsolicited advertising as an unfair competitive practice, and the UWG was updated in 2004 to implement the EU's ePrivacy Directive with stricter rules than the directive required. Most EU countries chose to exempt business-to-business messaging. Germany did not. The federal courts have reinforced this position consistently, BGH judgment I ZR 164/02 held that even a single unsolicited B2B email is an unlawful nuisance, and later decisions have not softened that.

The existing-customer exception (UWG §7 Abs. 3) is the narrow path that legal German email marketing operates through. Its four cumulative conditions: 1. The sender obtained the email address from the recipient in the context of selling goods or services. 2. The sender uses the address for direct advertising of its own similar goods or services. 3. The recipient has not objected to the use. 4. The recipient is clearly informed at the time of collection, and in every subsequent message, of their right to object free of charge.

This works for re-engaging existing customers. It does not work for prospecting.

Double opt-in is the de facto safety standard for consented marketing in Germany. A single opt-in: box ticked on a form: is technically legal under UWG but has been challenged in courts where the sender could not prove the opt-in was informed. Double opt-in (confirmation email, click to verify) creates a paper trail that survives Abmahnungen.

Documentation requirements. German marketers retain the IP address, timestamp, and form-source of every opt-in for at least 3 years, the statute of limitations for UWG injunction claims. Without this documentation, a sender cannot prove consent existed at the time of sending, and courts will assume it did not.

Germany has a fundamentally different consumer inbox mix from every other Western market. Web.de and GMX: both owned by United Internet / 1&1 Mail & Media: together account for the largest share of personal email in Germany. T-Online (Deutsche Telekom) is still meaningful. Gmail and Outlook.com are large but not dominant.

Two practical implications for consented German email programs.

Web.de and GMX have their own filtering rules. Both are part of United Internet's Mail-Abuse-Report postmaster platform. They enforce strict authentication (SPF + DKIM + DMARC with alignment) and they are more aggressive than Gmail on content-based filtering. A newsletter that delivers cleanly to Gmail may sit in Web.de junk for weeks. Senders reaching Web.de/GMX audiences should monitor the 1&1 postmaster tools weekly and be prepared for higher bounce rates on list imports.

The German SMB long tail is large. 1&1 IONOS, Strato, and smaller German webhosts still serve a significant share of German business email, especially for companies under 50 employees. These mailboxes run on varied backends with inconsistent filtering. Sending from US IPs to these recipients compounds latency and reputation issues. Microsoft 365-style throttling shows up on IONOS-hosted mailboxes too.

Consented German email marketing operates at the intersection of two laws:

UWG §7 requires prior express consent for the electronic marketing message itself. This is about the act of sending a commercial message.

GDPR Art. 6 and Art. 7 require a lawful basis for processing the recipient's personal data. For marketing, the practical options are consent (Art. 6(1)(a)) or legitimate interest (Art. 6(1)(f)). German regulators: notably the Bayerisches Landesamt für Datenschutzaufsicht: have consistently said that legitimate interest is not a valid basis for cold marketing email, because UWG §7 already requires explicit consent. So in practice, German senders must rely on GDPR consent for the data processing piece too.

A compliant German consent flow looks like this: 1. Clear, informed opt-in form: not pre-ticked, not bundled with unrelated terms 2. Confirmation email with a link the recipient must click (double opt-in) 3. Explicit wording that names the sender and describes what kinds of messages the recipient will receive 4. Statement of GDPR Art. 7(3) right to withdraw consent at any time 5. Privacy notice (GDPR Art. 13) available at the opt-in point 6. Storage of IP address, timestamp, form version, and confirmation click for at least 3 years

• One-click unsubscribe in the message (also required by Gmail/Yahoo bulk sender rules)
• Unsubscribe honored immediately (not 'within 10 days', German courts expect same-day processing)
• Suppression list keyed by email with indefinite retention
• Confirmation email after unsubscribe is optional but reduces dispute risk

Double-opt-in confirmation email caveat. German courts have sometimes treated the confirmation email itself as a UWG §7 violation if the initial opt-in was too generic (e.g. 'Sign up for our newsletter' without describing content), the argument being that the confirmation message is unsolicited marketing. This is a minority position but real enough that conservative senders phrase their opt-in forms explicitly and keep the confirmation email content-free (just a click-to-verify link).

For a sender running a legitimate opt-in German email program, the infrastructure story is mostly standard, but every choice is under higher scrutiny.

• 1-3 .de domains for the sending zones (German recipients trust .de addresses)
• Register .de through a DENIC accredited registrar
• Meet DENIC's admin-C requirement (a German administrative contact)
• Publish a complete Impressum on every sending domain's landing page, this is legally required for any German commercial web presence
• 301 redirect secondary domains to the primary brand

• Google Workspace or Microsoft 365: both work fine with German recipients
• Consider Microsoft 365 EU data region if the sender is subject to Schrems II concerns
• Per-mailbox volumes stay conservative for German traffic, 40-60/day maximum even after warmup, because German recipients are more likely to mark content as spam if it looks automated
• Isolated warmup before any real traffic

• SPF with strict alignment
• DKIM with two selectors
• DMARC at p=quarantine after 30 days (German recipients are more DMARC-aware)
• MX matches mailbox provider
• Consider BIMI for Gmail and Yahoo brand indicator

• Impressum link required in every commercial message (GmbH, address, authorized representative, commercial register number, USt-ID)
• German-language subject lines for German recipients (English-language cold email to German recipients triggers higher spam complaint rates even when otherwise compliant)
• Unsubscribe link labeled 'Abbestellen' or 'Newsletter abmelden'
• GDPR Art. 13 notice at the opt-in point

German cold-email senders who push their luck get Abmahnungen. The practical risk model has three drivers.

Driver 1: Volume. A sender who emails 100 German addresses in a month might get 0 Abmahnungen. A sender who emails 10,000 in a month will likely get 1-3 over a quarter. Abmahnung frequency scales linearly with volume.

Driver 2: Recipient sophistication. Lawyers, tax advisors, consultants, and agencies are much more likely to issue Abmahnungen than manufacturing or retail SMBs. Targeting German legal or professional services with cold email is a guaranteed Abmahnung pipeline.

Driver 3: Ignoring the first complaint. A recipient who receives one cold message and replies with 'unsubscribe' or 'kein Interesse' and then receives a second message will almost always escalate. A recipient whose first message was ignored won't escalate unless they're part of an Abmahnung mill.

• Initial letter: €500-€2,500 in legal fees paid by the sender
• Cease-and-desist pledge: contractual penalty per violation, typically €2,500-€10,000
• If ignored: injunction proceedings, further legal costs, public court record
• Repeat offenders: criminal proceedings possible under StGB §263a if the sender actively deceived recipients

• Not cold-emailing German recipients. €0.

The math almost always favors prevention. Cold email to Germany is a bad business decision even before it becomes a legal one.

If you are running a legitimate opt-in German email program (newsletter, product announcement to existing customers, post-purchase sequences), here is the setup:

• [ ] Register 1-3 .de domains through a DENIC registrar
• [ ] Publish Impressum on every domain's landing page
• [ ] Provision 5-15 Google Workspace or Microsoft 365 mailboxes
• [ ] Automated SPF/DKIM/DMARC via InboxKit
• ] Enable [InfraGuard monitoring
• [ ] Build double-opt-in form on landing pages

• [ ] Isolated warmup on every mailbox
• [ ] Confirm 1&1 / Web.de / GMX postmaster monitoring is live
• [ ] Draft German-language content templates with Impressum block
• [ ] Legal review of opt-in flow

• [ ] Start newsletter / re-engagement sequences
• [ ] First-day opt-out processing (suppression list auto-sync)
• [ ] Weekly deliverability review (Gmail, Microsoft 365, Web.de, GMX, T-Online)
• [ ] Quarterly compliance audit: retention of opt-in records

• Any Abmahnung: respond via legal counsel, stop sending to that address and to the source list
• Spam complaint rate above 0.2%: throttle immediately
• Web.de / GMX reputation degradation