Comment by okanat
3 days ago
I think that is not up to date. Mailbox publishes DKIM records: https://kb.mailbox.org/en/private/custom-domains/spf-dkim-an...
SPF is here https://kb.mailbox.org/en/private/custom-domains/spf-dkim-an...
DMARC is up to the domain owner to set.
Lack of records isn't the issue. You authorize mailbox's servers to send on behalf of your domain. Then they let anyone with a mailbox account set the from to your domain.
I see, so their SMTP authentication is woefully broken and they let anybody who can send an e-mail from their SMTP server to put anything in From: ? That's rather hard to believe. The defaults of most SMTP servers like Postfix prevent that. Since I don't want to get banned I don't really want to test that option with their SMTP server.
I took the https://emailspooftest.com/ and while the "spoof" mail gets delivered to mailbox.org's Inbox, my Thunderbird client is all red and it warns me about DKIM and SPF fails.
I think on the sending side, being able to send from others’ addresses is fixed by now: https://userforum-en.mailbox.org/topic/anti-spoofing-for-cus...
But it definitely used to be possible, I tried once with success.
Anti spoofing for incoming mails was not perfect the last time I checked either, but is a different issue.
1 reply →