Anti-spoofing for Custom Domains (SPF, DKIM & DMARC)

You can always just check the DNS Records yourself.

Short anwer: Yes, mailbox.org uses SPF, DKIM and DMARC.

Long answer: Everyone can send Emails in your name anyway. The mailbox.org SMTP servers do not check if you spoof your from address. See this discussion in the german forum: https://userforum.mailbox.org/topic/mailbox-org-smtp-server-stellt-mails-mit-gefakten-absender-zu

Gmail antispam system uses DKIM and DMARC. If I send an email with my custom domain to a Gmail user that will may be redireced to spam

The easy way is to use openssl and generate your private and public keys with this:

1. openssl genrsa -out private.key 1024
2. openssl rsa -in private.key -pubout -out public.key

If you want a 2048 bit key change "1024" with "2048".

With a TXT record you have to add:

• dkim._domainkey.yourdomain.TLD as a host name (change "dkim" with everything you want e.g. "default, key1" etc).
• in the value part v=DKIM1; k=rsa; p=your/generated/key

The SPF it's easy and reported in the support section of mailbox.org site, just add in a TXT record: v=spf1 include:mailbox.org and leave the host empty.

DMARC it's just a string, you don't have to generate nothing, again in a TXT record put:

• _dmarc in the host part
• v=DMARC1; p=none; rua=mailto:youraddress@yourdomain.TLD

(You can create an alias just for DMARC like reports-dmarc@yourdmain.TLD)

You can find openssl for every GNU/Linux distro and also on Windows I think.

Hope this helps you.

I'm happy to say that the mailbox.org team added DKIM and DMARC support.

In the knowledge base there are all the info. You can check it here https://kb.mailbox.org/display/MBOKBEN/Using+e-mail+addresses+of+your+domain

There's a detailed explanation of how to add DKIM with your domain.

Hope that is helpful.

Hi,

BUMPING this topic.

it's look like anyone with a valid mailbox.org account can send mail with domain configured on mailbox.org

E.G. Your account : toto@mailbox.org you can send an email as bidule@adomainname.com if a adomainname.com is configure by another mailbox.org user on mailbox.org,

If you try to spoof an address <something@mailbox.org> It's rejected.

I find this topic looking about DMARC.

I've two mailbox.org account, for different purpose. I tried by configuring Thunderbird to use my first account and spoof random address @mailbox.org and randomadress@mydomain on my 2nd account

I check the result in a test gmail address.

I would like to know what I need to configure to avoid that on mailbox.org, is DMARC the way to go?

For now I've only SPF & DKIM configured.

I read a little bit (https://userforum.mailbox.org/topic/mailbox-org-smtp-server-stellt-mails-mit-gefakten-absender-zu) answer with a translator but I don't get everythings, as I don't read german.

Why has this not been resolved?

can we get updates regarding the anti-spoofing fix?

at the moment spf/dkim/dmarc settings are ignored inbound from mailbox.org, i can receive spoofed emails from any domain either on my custom domain or mailbox.org aliases

I can understand the issues described by staff in previous posts but it's been over two years and we're not talking about implementing a new interface theme or adding optional features, this is a basic security measure that any normal email provider has.

Hi there and thanks for hanging in there with us. We totally get the challenges you and other users are facing with implementing anti-spoofing measures for custom domains on mailbox.org.

Just to let you know, it's definitely on our radar, but it needs careful planning and thorough checking of all security aspects.

Additionally, SPF settings are being honored and DMARC settings are a huge factor in our spam recognition. While we don't honor DMARC at a 100% right now, we do take it into account.

Rest assured, we're committed to this and grateful for your continued support and understanding.

Best regards from your mailbox.org-Team!

Hi mailbox.org-Team,

any updates on this?

Thanks!

Hi,

I am currently in the trial period, evaluating the service to create 2 accounts on mailbox.org with several custom domains. So far the tests were very satisfactory, but this problem makes me think about looking for other alternatives because it is an unacceptable security flaw. Any realistic solution plan? Because it has been more than 4 years since it was reported and it is still unsolved.

This is becoming more and more pressing, due to the upcoming DMARC requirement for large-volume email being enforced by some major email providers starting tomorrow. Those of us who don't send thousands of emails per day are okay for now, but the rumor mill seems to imply that won't be the case for very long.

Here's Google's information on the topic.

Here's Yahoo/AOL's blog post.

Sorry, I don't have German primary sources for this information, though there are a few third-party blog posts.

Is there any update, or timeline for the problem to be fixed?

Can we please get an update about the current status in this topic?

Are there any updates on this? E-mails that fail DMARC and DKIM are not flagged or put in junk when DMARC policy is "quarantine", and this is a big deal. E-mail spoof tests show that you do not respect DMARC policies set by the domain DNS records.

For those interested, people are discussing this elsewhere: https://discuss.privacyguides.net/t/remove-mailbox-org/20232

This is also deeply concerning for me. My domain now gets an F rating from https://emailspooftest.com. Unauthenticated email sent from my own domain to me, despite my quarantine DMARC policy, appears right in my inbox!

Making me rethink the switch I made to your platform. Crazy.

It's disappointing that Mailbox.org's blog post today promotes its custom domains (Email address with your custom domain: introduction and tips), yet this serious issue has continued to go unaddressed, with very little communication other than occasional reassurances that it's being worked on, for years. I'll be moving off this platform.

I have just done https://emailspooftest.com/ just now and the only mail that should come though is E1 which is an email to say about the tests etc, and it looks like the issue has been sorted etc it has not, and I thought it has been sorted. But then suddenly Emails e5, e7 and e9 are the only ones to come though.

Mailbox.org really need to make this a number one priorty to fix and sort before working on other things. I know alot of people would use IM systems such as Signal, but email is a universal commications system and for signing up to online accounts. not fixing this bug could cause issues with other providers such as mailbox.org emails going into spam.

I agree with the comments above. To be fair to them though, I've tried that test with MS365 outlook, iCloud, Proton, Infomaniak, Zoho and they all fail in various ways. If I remember correctly, the only one that had full marks was forwardemail.net, but I don't know if I trust them enough as a company to use them. Infomaniak let E1 through, as it should, and then E7 too, so not too bad. Proton let E1 and E7 through to the inbox and E3,E5 in spam. iCloud E1, E9 and E7. Some of them went to spam when they should have been completely blocked. But ending up in spam is better than in the inbox like with Mailbox.org -- E1 in my inbox (as it should be), together with E5, E7 and E9.

I'd love to hear from Mailbox.org about this though to know what the status of their updates are. It really does't look good for a privacy-oriented service to fail a test like this.

Hello, I'm a new Mailbox user (using a custom domain) wondering what's the status of this issue. I probably should have done better research before I signed up but it never really crossed my mind that an email provider that's been around a while wouldn't be following normal security standards. Yes that sounds rather naive on my part when I put it that way!

Currently my dmarc reports are mostly OK, DKIM and SPF pass though testing my account with emailspooftest was pretty bad as discussed above.

Anyway I still have time to switch providers and it wouldn't be much effort at this point, what would be the general recommendation here?

Before I continue and waste my time to setup any custom domains or even consider to start using mailbox - this is not true, right?:

"E.G. Your account : toto@mailbox.org you can send an email as bidule@adomainname.com if a adomainname.com is configure by another mailbox.org user on mailbox.org,"This would make the whole domain verification step useless.

SPF/DKIM/DMARC is not implemented properly for incoming emails "only", isn't it? While this would be a bummer as well, but not as bad as the statement above.

Still not sure if I can accept the idea of using a (in comparison high priced) paid service that doesn't take standards into account that have been there for years or decades.

Seems like this has not been resolved.

Ran the same test as specified earlier and mailbox fails E3, E5, E9 and E1 Never gets delivered.