Six titles. Twelve million sends. Bavarian DPA inquiry resolved.

The customer is a German media group based in Berlin, operating six consumer titles spanning news through to food and technology coverage, with combined newsletter readership of about 4.2 million subscribers across the group. Daily and weekly email volume averages around 12 million sends a month. Peaks during product launches and editorial events can push the daily rate above 600,000 within a four-hour delivery window. The infrastructure that came into the engagement was an in-house Postfix deployment with a custom queue manager built by the original engineering team between 2014 and 2018, hosted on bare metal in a Frankfurt colocation. The system worked. The problem was that nobody on the current team understood it well enough to evolve it, and the senior engineer who had built it had left the group in 2022.

The trigger for the engagement was a regulatory letter from the Bavarian DPA in November 2024. One of the group's titles had received a series of DSARs (Data Subject Access Requests) from a coordinated campaign by a privacy advocacy group, and the title's response time had exceeded the 30-day GDPR Article 12(3) limit on enough of them that the regulator opened an inquiry. The compliance review surfaced two structural problems. The Postfix deployment retained delivery logs for 18 months, much longer than the 30 days the editorial team's published privacy notice claimed. And the in-house bounce-handling system had been configured in 2017 to mask recipient addresses with a hash that was reversible against the subscriber database, which under the regulator's interpretation amounted to processing pseudonymous data without a valid basis.

The deliverability situation was the second thing on the table. The group had been losing roughly 8 percent of subscriber engagement at Gmail year over year since 2022, and the trend was accelerating. The internal explanation had been that newsletter engagement was declining across the industry, which was true at the trend level but did not explain the specific shape of the loss. We pulled three months of Gmail Postmaster data in week one and the picture clarified. The group's domain reputation was sitting at "Medium" with periodic dips into "Low" during high-volume sends. DMARC alignment was passing on 91 percent of mail, with the remainder failing because of an SPF include chain that resolved differently on Tuesday morning sends than on Friday afternoon sends, due to a DNS provider quirk that had been latent for two years.

We scoped the engagement at six months because the regulatory remediation could not be done in five weeks the way the FCA case could. Three teams needed time. The engineering team needed time to migrate off the in-house Postfix without breaking ongoing daily sends. The legal team needed time to revise the published privacy notice and to handle the open Bavarian DPA inquiry. The editorial team needed time to communicate retention changes to subscribers under the GDPR Article 13 update obligation. Our role was to operate the new infrastructure, document the configuration in a way the team could maintain after handover, and assist with the regulator-facing documentation through our DPO, who had handled comparable Bavarian DPA correspondence twice before. We did not run the legal response.

Months 1-2: Postfix replacement. Months one and two went into the Postfix replacement. We provisioned PowerMTA on a four-server cluster in our Ljubljana PoP, configured the same routing logic the in-house queue manager had been performing, and set up a parallel send path. The first parallel send was a test newsletter on 14 December 2024, addressed to a 50,000-recipient seed list of the engineering team and editorial subscribers who had volunteered. We ran parallel sends through the entire month of December, comparing delivery outcomes between the two paths against the same recipient population. By 15 January 2025 we had enough comparative data to recommend cutover. The recommendation was conservative on our side. The PowerMTA path was outperforming the in-house path at Gmail by about 4 percentage points on inbox placement, but the editorial team had built reflexive processes around the in-house queue manager's quirks and the cutover required retraining as much as it required code changes.

Month 3: retention reduction and DSAR rebuild. Month three was the retention reduction work. The Postfix system had retained 18 months of full delivery logs (sender, recipient, timestamp, MTA response, message-id, subject line) on a 12-disk storage array that had been cheap to keep adding to. The new architecture retained 30 days of operational data plus 7 years of audit-only records (admin access events, configuration changes, security events) on append-only storage in a separate jurisdiction. The cutover from the old retention to the new retention happened on 28 February 2025. We deleted 17 months of historical delivery logs in a single operation, with the legal team's written authorisation and a documented chain of custody for the deletion. The DSAR response system was rebuilt on top of the new architecture. Where the old system had taken roughly 14 days to produce a complete DSAR response (because the data was scattered across three different storage tiers and the bounce-handling reverse-hash had to be manually decoded), the new system produced a complete response in under 90 minutes. We did not benchmark this against the GDPR 30-day requirement; we benchmarked it against the editorial team's expectation that DSARs should not require an engineer to drop everything for a full working day.

Month 4: cutover and DMARC enforcement. Month four was the production cutover and the DMARC enforcement step. We migrated the daily newsletter sends to the PowerMTA cluster on the second weekend of March 2025, in three waves separated by 48 hours each (one title per wave). The first wave (the news title, which had the highest volume and the most-engaged subscriber base) ran clean. The second wave (the lifestyle title) hit a sender-name encoding issue we had not anticipated; the in-house Postfix had been silently fixing UTF-8 encoding errors in the From header for years, and the editorial team's content management system was producing headers that the new infrastructure rejected as malformed. We patched the CMS to emit RFC 6532 compliant headers within four hours and the wave completed without further incident. The third wave (the tech and food titles, batched together) ran clean. The DMARC policy was tightened from p=none to p=quarantine with pct=25 on 30 March 2025, then progressively to p=reject with full enforcement by mid-April after we verified that no legitimate mail was being affected.

Months 5-6: regulator response and handover. Months five and six were the regulator response and the handover. The Bavarian DPA inquiry resolved in May 2025 with a written closure that described the group's response as "materially appropriate" and required no further action. Our DPO had drafted the response in conjunction with the group's external counsel, and the architecture documentation we had produced during months one through four formed the technical exhibit. The handover to the in-house engineering team ran across June 2025. We trained two engineers on the PowerMTA configuration and the operational procedures, with weekly check-ins for the following ninety days. As of October 2025 the group runs the infrastructure with first-line support from their own team and second-line escalation to our on-call rotation, and the engagement has settled into a managed-service relationship that is the long-term steady state.

What measurably improved. The measurable outcomes after six months of operation on the new infrastructure. Gmail inbox placement on the news title moved from 78 percent to 91 percent; on the lifestyle title from 72 percent to 87 percent; on the tech title (which had been the worst performer) from 64 percent to 86 percent. Domain reputation at Gmail Postmaster moved from "Medium" with periodic Low dips to "High" sustained across the full reporting window. DMARC alignment passing rate moved from 91 percent to 99.7 percent after the SPF chain was rebuilt and the DNS provider quirk was eliminated. The Bavarian DPA inquiry closed without sanction. DSAR response time fell from a median of 14 days to a median of 90 minutes, with the 99th percentile under four hours. Subscriber engagement at Gmail recovered roughly half of the year-over-year decline in the subsequent six months, which the editorial team attributes partly to the inbox placement gain and partly to a parallel programme of subject-line and segmentation work that ran independently of our engagement.

What did not change. The food title's deliverability did not recover. The audience for that title turned out to be primarily older subscribers using ISP-provided email accounts (Yahoo, AOL, GMX, T-Online), and the mailbox provider mix on that segment is structurally harder to optimise than Gmail and Outlook. We made marginal improvements but the food title's inbox placement remained roughly 8 percentage points below the group average through the engagement, which was a known limitation we had flagged in the proposal. The retention reduction did not solve the broader DSAR processing problem at the group level, because the DSARs continued to require coordination between three separate teams — editorial, legal, engineering — and our work only addressed the technical layer. The technical response time fell from 14 days to 90 minutes, but the legal and editorial review still consumed most of the calendar window. The total median DSAR response time at the group level fell from 28 days to 11 days. That is not the 90-minute number our infrastructure produces in isolation. Honest framing matters here. The infrastructure can answer fast. The organisation around it answers as fast as the slowest team involved in the response.