Comment by akvadrako

4 days ago

I use mailbox for the past few years and I think it's the best option out there. But they have one major issue, which is that anyone can impersonate your domain:

https://userforum-en.mailbox.org/topic/anti-spoofing-for-cus...

6 comments

akvadrako

Reply
okanat  3 days ago

I think that is not up to date. Mailbox publishes DKIM records: https://kb.mailbox.org/en/private/custom-domains/spf-dkim-an...

SPF is here https://kb.mailbox.org/en/private/custom-domains/spf-dkim-an...

DMARC is up to the domain owner to set.

  • akvadrako  3 days ago

    Lack of records isn't the issue. You authorize mailbox's servers to send on behalf of your domain. Then they let anyone with a mailbox account set the from to your domain.

    • okanat  3 days ago

      I see, so their SMTP authentication is woefully broken and they let anybody who can send an e-mail from their SMTP server to put anything in From: ? That's rather hard to believe. The defaults of most SMTP servers like Postfix prevent that. Since I don't want to get banned I don't really want to test that option with their SMTP server.

      I took the https://emailspooftest.com/ and while the "spoof" mail gets delivered to mailbox.org's Inbox, my Thunderbird client is all red and it warns me about DKIM and SPF fails.

      2 replies →