As Mark writes, MX has fixed IP A record, reverse DNS round-trips with A lookup, stay off RBLs, DKIM sign your mail are absolutely required. Using at least conditional DMARC mitigation is required, too. However, conditional DMARC mitigation won't help with gmx.net, it has the same DMARC policy as web.de:
% host -t TXT _dmarc.gmx.net _dmarc.gmx.net descriptive text "v=DMARC1; p=none; sp=quarantine; rua=mailto:dmarcreport@gmx.net" % host -t TXT _dmarc.web.de _dmarc.web.de descriptive text "v=DMARC1; p=none; sp=quarantine; rua=mailto:dmarcreport@web.de"
The important part is "p=none", which says that GMX does not reject or quarantine *solely* because of a DMARC fail.[1] The conditional DMARC mitigation will *not* be applied for that domain for this reason. However, some sites consider From alignment (domain of DKIM signature = domain of author address in From:) in scoring spam. If GMX does that, unconditional DMARC mitigation may help.
Two additional configurations that may help:
- Authenticated Received Chain (ARC) is a relatively new standard which is used by some of the large American providers, specifically GMail and outlook.com. The basic idea is that your host will validate the digital signature on receipt of the post, add a header field reporting the results, and digitally sign that report. Many receiving hosts will then apply the same trust to your validation report that they do to your signatures. Maybe GMX will do it, too.
- SPF is an older standard than DKIM, which uses the IP address of the source of the incoming connection instead of a digital signature. This may help in some cases, but it's much less important than DKIM signatures nowadays.
As a last resort, you may disable all Mailman features (adding list tags or serial numbers to Subject:, adding header or footer to the body) that invalidate signatures. Unfortunately this may not be legal (some jurisdictions may require that you add instructions on how to leave the list).
Steve
Footnotes: [1] IIRC, the "sp=quarantine" means that some fraction of DMARC failing mail should be quarantined for testing purposes, but the default fraction is 0 so that is ignored.