Unfortunately I could not find an exact "list" of requirements.
We have this older canonical question, but for the limited application of customers with some connection to Germany, you may find the union of these 3 lists more helpful. Many other mail recipients in the DACH area apply equivalent rulesets:
If you are sending significant volume to any of these providers, I bet you have received SMTP-stage refusals or abuse complaints before. Read them, they will likely point to the key issues (you are acting on everything sent to your postmaster
and abuse
mailbox, right?).
Short summary:
- don't send malformed messages, don't run broken/unmaintained software
- repeated mailings must include a way to make them stop
- make abundantly & unambiguously clear who is sending, whois/rDNS/website/headers/names, whatever someone checks must to the extent possible name the responsible entity
- do not, ever, send stuff that customers did not explicitly & knowingly agreed to receive
- for new deployments, just consider DMARC & TLS a minimum requirement
You can mostly forget about block lists, they are a last-resort measure. While they sometimes appear where you failed to implement point 3, they generally rarely target you, specifically. And if someone does add you, specifically, you have failed at a procedural level (such as repeatedly messaging long-invalid addresses of past customers), nothing mail server setup alone can help you with.