Product Security

  • GRI 417
  • GRI 417-1

United Internet offers users solutions for secure, data privacy-compliant communication and cloud services on the internet. With its “E-Mail made in Germany” and “Cloud made in Germany” initiatives, the Group has built a sound reputation for secure sending and receipt of private e-mails, and for protecting digital privacy in the cloud.

E-Mail Made in Germany

In 2013, United Internet and Deutsche Telekom launched the “E-Mail made in Germany“ initiative. Its member companies offer customers high standards of security and data privacy. These include encrypted transmission of all e-mails across all routes operated by members, the processing and storage of all data in Germany in accordance with German data privacy requirements, and the identification of secure e-mail addresses within the e-mail applications. Since April 2014, “E-Mail made in Germany” has only used SSL keys certified in Germany and all transmission routes have been fully encrypted. It goes without saying that all partners’ processes comply with the GDPR. In 2015, GMX and WEB.DE – e-mail services belonging to United Internet – significantly enhanced the “E-Mail made in Germany” security standard by developing an encryption solution based on the globally recognized Pretty Good Privacy (PGP) standard.

Cloud Made in Germany

In fiscal year 2017, GMX and WEB.DE introduced free end-to-end encryption of cloud content for all users. Customers can use this “safe” to encrypt their data locally before uploading, hence protecting it from third-party access. Sensitive content that has left the customer’s device is saved online only as an unreadable data set. The data is only decrypted again once it has been downloaded from the cloud to one of the user’s devices. This move by the GMX and WEB.DE portal brands strengthens their “Cloud Made in Germany“ initiative, which was launched in 2016, and improves internet security.

De-Mail Standard

Since 2012, the De-Mail-Standard has offered legally valid e-mail communication that can be used for online registration and notification processes involving public authorities, and for legally binding digital transactions. GMX, WEB.DE, and 1&1 have been accredited DeMail service providers since 2013. In 2016, GMX, WEB.DE, and 1&1 were certified for the first time as complying with the European Union’s eIDAS (“Electronic Identification and Trust Services”) Regulation. Based on this certified infrastructure, they will also be able to offer their users a legally valid method of communication with all other EU Member States in future. The eIDAS Regulation creates an EU-wide standard for the unique identification of all articipants and the digital signature of cross-border electronic data transmissions. This creates uniform conditions in all EU Member States for the trusted, verifiable exchange of documents and legally valid communications between citizen, public authorities, and enterprises.

We had applied in the past for approval as an identity provider as defined by the German Online Access Act (“Onlinezugangsgesetz” – OZG) for our single sign-on system, which is based on our De-Mail infrastructure. The approval audits were successfully completed in 2020 and approval has been granted. This means that all De-Mail users and GMX, WEB.DE, and 1&1 customers can use their De-Mail accounts to directly access services offered by the federal government’s and states’ citizen accounts and service portals within the network, without having to log on and authenticate themselves again. This makes it much easier for citizens to use all participating e-government processes, and offers our customers and users additional uses for their De-Mail accounts.

Security and Encryption of Emails, etc.

In addition to the above mentioned security features such as TLS, end-to-end encryption using PGP, and the “safe” function for cloud storage, all user data and content are subject to Europe’s and Germany’s strict data privacy requirements as set out in the GDPR, and are stored on servers in Germany. User consent is paramount.

The two-factor authentication process introduced in June 2019 provides additional protection for user accounts. With this procedure, accounts can be protected by an additional security code that has to be entered during the log-in process, as well as a password. This second factor makes it harder for attackers to access accounts, even if they have guessed the passwords or obtained them using malware.

Secure E-commerce

Customer trust is a critical factor in e-commerce. In addition to concerns about the security of their personal data, consumers have questions regarding the reliability of online transactions, on providers’ delivery capability, and on online services. This is why we take the measures necessary to allay any consumer concerns and to build up their trust.

IT security is becoming an ever-greater audit focus from year to year. Among other things, well-known technical services provider TÜV SÜD regularly audits the online shops run by Drillisch Online’s core brands (maXXim,, simplytel, DeutschlandSIM, PremiumSIM, winSIM, yourfone, Galaxy EXPERTE,, and free-prepaid). The annual certification and review process caters to our customers’ wishes: security and quality are just as important to them as the price of our products and services. For us as an online retailer, certification with the well-known s@fer-shopping seal of approval offers an opportunity to reduce aborted transactions, positively impacting online sales. The requirements that have to be met to obtain the seal cover issues relating to data security and systems security, data privacy, and online content and processes. The comprehensive, multistage process needed to gain TÜV SÜD’s seal of approval includes an on-site audit. Not only is order processing checked for reliability as part of this process, but the way in which customer service deals with customer queries is also reviewed, and the security of customers’ personal data and payments processing are verified.

After successfully completing the certification process, we are entitled to use the s@fer-shopping seal of approval for Drillisch Online’s online shops. This demonstrates our commitment to offering customers a secure, satisfying online shopping experience and to undergoing thorough, systematic audits to assess whether we comply with this commitment. In addition, this certification helps us implement the GDPR’s technical and organizational security requirements. We were certified for the tenth time in a row in 2020.

Development of “Intelligent” Products

Security and user-friendliness are also core issues for us when enhancing our products and services. We are making increasing use of data science, artificial intelligence (AI), and machine learning here.

Intelligent Mailbox Function

GMX and WEB.DE’s intelligent mailbox provides customers with a handy way of categorizing and grouping e-mails, allowing these to be identified more quickly and effectively in a clear overview. Key e-mails can be found more rapidly and additional useful administration functions are provided for handling mass mailings. This saves time and makes the process more user-friendly. For example, the parcel tracking function allows the standard information about a shipment’s status to be displayed above users’ e-mails, and to group all orders together in an overview. In addition, users can customize offerings to suit their own specific interests, and decide themselves which extra functions should be enabled in their mailboxes.

The intelligent mailbox function is self-learning, and by training the systems we will soon be able to offer the technology to create and offer additional e-mail categories. This will provide users with even more clearly structured mailboxes. For example, two new categories – “social media” and “newsletter” – were added in 2020. The first allows users to display all e-mails from social media channels, such as messages about birthdays and likes, together in a single category. The second offers them an overview of all the newsletters received in their mailbox. This can help them to unsubscribe from those they no longer want. For further details, please see the section entitled “Improved Spam Recognition Enhances E-mails’ Relevance and Security.” It goes without saying that the GDPR’s well-known data privacy requirements also apply to “intelligently captured” data at GMX and WEB.DE.

Improved Spam Recognition Enhances E-mails’ Relevance and Security

We work continuously to improve our recognition and filtering of spam – unsolicited or even harmful messages – so that these do not reach our users in the first place. In 2020, we succeeded in increasing the proportion of spam mails that were recognized and filtered out by 15% using new methods and data science applications. At the same time, spam complaints from users declined by 15%. This shows us that the “right e-mails” are being identified as spam. Spam can be anything from dangerous or harmful e-mails aimed at distributing viruses or at phishing down to unsolicited mails such as frequent mass mailings for advertising purposes.

We achieved this improvement by deploying new virus scanners and optimizing configurations. In addition, we started developing a proprietary spam scanner in 2020 that is customized for our services and that uses machine learning techniques, among other things. What is more, the standard allowing users to unsubscribe from newsletters, which was developed in 2019, helps them clean out their mailboxes and only receive the e-mails they actually want to receive. This is based on Internet Standard RFC 8058 (One-Click Unsubscribe), which allows recipients to cancel newsletters directly in their e-mail mailboxes with a single click. The “unsubscribe” link is always positioned directly next to the e-mail sender. This means that users no longer have to search for it or visit the sender's homepage. The Certified Senders Alliance (CSA), an initiative launched by industry association eco – Verband der Internetwirtschaft e. V., has added this standard to its rulebook, meaning that it is widely observed by leading senders. Our customers are responding positively to the service.

As a result, the number of unsolicited newsletters was reduced significantly in the 2020 reporting period. All in all, we were able to significantly increase both the relevance of incoming mails and the security of e-mail usage for our customers’ benefit.

User Feedback and AI Used to Further Enhance Spam Recognition

Incoming e-mails at GMX and WEB.DE are checked for whether they comply with spam criteria as a matter of course. If an e-mail is identified as spam, it is moved to a separate folder. However, new and constantly changing spam attack methods may lead to unwanted e-mails landing in customers’ in-boxes. Conversely, desirable e-mails may end up in the spam folder. Many users already address this issue by manually moving e-mails to the correct folders, training their personal spam filters in the process.

GMX and WEB.DE are now also using this individual user feedback for their general spam filters and for training their AI systems. This will allow us to protect users faster and more effectively against new types of spam. It goes without saying that users must have agreed to this. They can do this in their e-mail settings by activating the “Spam recognition using moved e-mails” option. In this case, GMX and WEB.DE can analyze and categorize content such as the subject lines or URLs of the e-mails that have been moved, plus associated traffic data such as the senders or IP addresses. The analyses are largely performed automatically by computer systems, and only in isolated cases by hand. The data are used strictly for their intended purpose and processed in accordance with the provisions of European data privacy law. Users can revoke their consent at any time by changing their spam recognition settings.

In addition, we are using machine learning to improve our identification of e-mail accounts that are controlled by botnets, so as to prevent spam mails from being distributed in this way.

Using Machine Learning to Identify Fraud

In our hosting business, we have developed a machine learning-based method of using domain names to predict whether the domain itself could be used fraudulently or misused.

Many security attacks today, such as spam mails and phishing, use domain names that make a serious impression on recipients. For example, e-mails may be sent from addresses or contain links to websites whose names are highly similar to well-known, trustworthy domains. Users often do not recognize such tricks immediately. This type of fraud focuses on (or attacks) recipients, but can also impact our hosting customers, whose domains could be blocked by other providers as a result of such fraudulent activity. Our own organization can also be negatively impacted by this if the customer does not pay the costs incurred for registering the domain.

The data product that we have developed learns from previous domain registrations that have been identified and flagged by our fraud experts, and can assess pending domain registrations within milliseconds. One result is that customers may be offered a restricted range of payment options that require additional authentication, among other things, in order to minimize the risk for our Company. This function was added to our processes in 2019 and has already led to a reduction in the fraud rate.

The next step we are planning is to roll out the analysis to other markets and drive forward its use at the other Group companies that are active in the hosting area. Machine learning is an excellent way of identifying attempted fraud – the methods for which are constantly changing – and we are confident that we will be able to develop and provide additional useful services going forward.