Welcome to the mailbox.org user forum!
 

Anti-spoofing for Custom Domains (SPF, DKIM & DMARC)

2153638 shared this question 8 years ago
Need Answer

Does mailbox.org offer anti-spoofing options for custom domains? I can find no information about this on the help pages. Other privacy-oriented providers, e.g. protonmail, do offer this (see here: https://protonmail.com/support/knowledge-base/anti-spoofing/).


Mailbox.org should make information about SPF, DKIM and DMARC easy to find.

Best Answer
photo

Hi there and thanks for hanging in there with us. We totally get the challenges you and other users are facing with implementing anti-spoofing measures for custom domains on mailbox.org.

Just to let you know, it's definitely on our radar, but it needs careful planning and thorough checking of all security aspects.

Additionally, SPF settings are being honored and DMARC settings are a huge factor in our spam recognition. While we don't honor DMARC at a 100% right now, we do take it into account.

Rest assured, we're committed to this and grateful for your continued support and understanding.

Best regards from your mailbox.org-Team!

Replies (17)

photo
2

You can always just check the DNS Records yourself.


Short anwer: Yes, mailbox.org uses SPF, DKIM and DMARC.

Long answer: Everyone can send Emails in your name anyway. The mailbox.org SMTP servers do not check if you spoof your from address. See this discussion in the german forum: https://userforum.mailbox.org/topic/mailbox-org-smtp-server-stellt-mails-mit-gefakten-absender-zu

photo
1

Gmail antispam system uses DKIM and DMARC. If I send an email with my custom domain to a Gmail user that will may be redireced to spam

photo
1

I actually have this exact problem. Using Mailbox with custom domain and some of my mail is marked as spam by default on Gmail. The weird thing is that not for all Gmail recipients, but only for some.

Any idea how to resolve this?

photo
1

I have the same problem, I'm using every method available to increase authenticity of my own domain's email to avoid spam filters, but Mailbox's ip addresses are blacklisted at some anti-spam organizations. I emailed support about this and they responded that they're working on resolving this.

photo
1

Yes. Also heard of it. They’re working on their outbound structure to solve those issues.

Hopefully it will work.

photo
1

Following this article: https://kb.mailbox.org/display/MBOKBEN/Using+e-mail+addresses+of+your+domain (namely DKIM and DMARC) resolved my issue. All mails are now successfully delivered.

photo
photo
3

The easy way is to use openssl and generate your private and public keys with this:


  1. openssl genrsa -out private.key 1024
  2. openssl rsa -in private.key -pubout -out public.key

If you want a 2048 bit key change "1024" with "2048".


With a TXT record you have to add:


  • dkim._domainkey.yourdomain.TLD as a host name (change "dkim" with everything you want e.g. "default, key1" etc).
  • in the value part v=DKIM1; k=rsa; p=your/generated/key


The SPF it's easy and reported in the support section of mailbox.org site, just add in a TXT record: v=spf1 include:mailbox.org and leave the host empty.


DMARC it's just a string, you don't have to generate nothing, again in a TXT record put:


  • _dmarc in the host part
  • v=DMARC1; p=none; rua=mailto:youraddress@yourdomain.TLD

(You can create an alias just for DMARC like reports-dmarc@yourdmain.TLD)


You can find openssl for every GNU/Linux distro and also on Windows I think.

Hope this helps you.

photo
1

In order to use DKIM private key should be saved on mail server and public key in TXT record as shown above. It's impossible to setup DKIM by yourself without Mailbox.org support.

photo
2

True, I was wrong.

It's not working in our scenario, because we don't have backend access to mailbox.org servers.

So, the previous post was wrong, unless you have your own server or a cloud VPS and running Postfix, Dovecot etc by yourself.

photo
photo
2

I'm happy to say that the mailbox.org team added DKIM and DMARC support.

In the knowledge base there are all the info. You can check it here https://kb.mailbox.org/display/MBOKBEN/Using+e-mail+addresses+of+your+domain

There's a detailed explanation of how to add DKIM with your domain.

Hope that is helpful.

photo
1

Wonderful! What is `_domainkey` in the DKIM section, though? Is the the subdomain or the content of the TXT record in the SPF part?

photo
2

No, it's a standard for DKIM key records.

You have to literally write MBO0001._domainkey on your TXT record, in the subdomain section.

If you check other providers it could be like google1234._domainkey or yahoo1234._domainkey.

So, ._domainkey it's the standard part. The name of the key is the part before.

photo
1

Ahh, stupid me! Thanks a lot!

photo
photo
5

Hi,

BUMPING this topic.

it's look like anyone with a valid mailbox.org account can send mail with domain configured on mailbox.org

E.G. Your account : toto@mailbox.org you can send an email as bidule@adomainname.com if a adomainname.com is configure by another mailbox.org user on mailbox.org,

If you try to spoof an address <something@mailbox.org> It's rejected.

I find this topic looking about DMARC.

I've two mailbox.org account, for different purpose. I tried by configuring Thunderbird to use my first account and spoof random address @mailbox.org and randomadress@mydomain on my 2nd account

I check the result in a test gmail address.

I would like to know what I need to configure to avoid that on mailbox.org, is DMARC the way to go?

For now I've only SPF & DKIM configured.

I read a little bit (https://userforum.mailbox.org/topic/mailbox-org-smtp-server-stellt-mails-mit-gefakten-absender-zu) answer with a translator but I don't get everythings, as I don't read german.

photo
4

I just tested this and you are correct. This is extremely troubling.

I have SPF, DKIM, and DMARC setup and I still managed to spoof an email not connected to my account.

photo
1

I'm a bit confuse , I opened a support ticket as the support didn't reply here ? (after 49 days)

photo
1

I have been talking with the support about this and they are saying it’s intended.


I tried to explain the issue further now and I am waiting for another answer.


Meanwhile, I moved 5 users away from Mailbox.org.

photo
3

Dam! That's terrible, How this can be intended as it's block for the default domain @mailbox.org ?

I hope I'll get a positive feedback from the support, and I hope you are wrong ! but current facts make me think you are not :(

I like the service, I don't really want to move again, when I did this research for DMARC, I was planning to transfer more domains & more accounts to mailbox.org :( :(

photo
5

The possibility of using different sender addresses was introduced some time ago due to a a mistake/misconfiguration. Unfortunately, it's not that easy to stop that, since we have many business customers that use us as a mail relay and/or that re using catch-all addresses.

Right now, we're on the way to stop this; we're logging every sender/user mismatch, analyze it and contact users that are sending legal mail without having this account registered in their user data. This takes a lot of time and is difficult.

Hopefully next weeks we'll be able to switch from warn- to reject mode.

This project started in autumn, but making that big/important change in Christmas time isn't a good idea if you have many business customers. It was postponed to spring, but also now, during corona time, many users and companies had much more important stuff to do (also we had), so adding some extra technical issues isn't still good idea. We'll activate this if everybody all over the world calmed down and we had the chance to analyze everything and to minimize the impact of such a change. -That's why "stupid and ease looking changes" take sometimes 9 month even if it is on the roadmap and even if activating that block would take less then 10 seconds...

photo
2

Do you have an update here?

photo
2

I created this issue long time ago https://userforum-en.mailbox.org/topic/spoofing-protection-again


But, as I checked a minute ago, mailbox doesn't check SPF and DMARC. It's still possible to spoof my custom domain

photo
2

I just tried sending as <spoof-test@mailbox.org> (obviously not me, and sorry if it pops up in some logs :-). It went through with DKIM signature and all. If I read Thom's post from 23 months ago correctly, it should have been rejected instead? What is the status here?

photo
3

FYI, the reason I tried is because I read about it on HackerNews where it’s discussed as a possible security issue: < https://news.ycombinator.com/item?id=30224906 >

photo
2

I would also be interested in knowing if this changes have been implemented.

photo
2

We have created an internal team in order to approach this issue.

Please bear with us.

photo
4

Is there any update on this issue?

photo
2

Hey Support,

When can we expect an adequate level of security from your service?

Your website proudly states: We will do everything to protect you.

Yet, two years have passed, and it is still possible to spoof email from private domains.


Thanks

photo
3

Is this still an issue?

photo
2

We already have taken measures internally and came up with a plan to remedy this.

In addition we have scheduled a meeting next week where we will discuss further steps.

We'll keep you posted on the outcome.

We want to fix this quickly.

photo
5

What was the outcome of the meeting?

photo
1

@mailbox.org Support: If I understand correctly this actually violates your IT-Sicherheitskennzeichen from BSI on the point "Stand der Technik" in that it seems that you aren't fulfilling "Das Schließen von bekannten Sicherheitslücken."

There is an online form to report such "Schwachstellen und Sicherheitslücken" which I am feeling inclined to submit due to the lack of action on your end.


Could you please clarify/make a statement?

Thanks.

photo
1

I would like to ask why mailbox does not honour dmarc settings.


i have two personal domains, both with dmarc set to reject. domain1 on mailbox.org and domain2 on zoho.

Using a fake mail service if I send a spoofed email from domain1 and domain2 to mailbox.org the emails arrive in the inbox, if I do the same to zoho the emails do not arrive.

photo
photo
2

Why has this not been resolved?

photo
3

Good question. I also asked this several times and no feedback - maybe because it's not solved at all could be the answer.

Would be nice to get some official feedback.

There are also some threads within the german forums about it.

https://userforum.mailbox.org/topic/6425-weiterentwicklung-von-mailbox-org-wie-schaut-es-mit-dem-fokus-auf-das-kernprodukt-e-mail-aus

photo
photo
2

can we get updates regarding the anti-spoofing fix?

at the moment spf/dkim/dmarc settings are ignored inbound from mailbox.org, i can receive spoofed emails from any domain either on my custom domain or mailbox.org aliases

I can understand the issues described by staff in previous posts but it's been over two years and we're not talking about implementing a new interface theme or adding optional features, this is a basic security measure that any normal email provider has.

photo
3

Hi there and thanks for hanging in there with us. We totally get the challenges you and other users are facing with implementing anti-spoofing measures for custom domains on mailbox.org.

Just to let you know, it's definitely on our radar, but it needs careful planning and thorough checking of all security aspects.

Additionally, SPF settings are being honored and DMARC settings are a huge factor in our spam recognition. While we don't honor DMARC at a 100% right now, we do take it into account.

Rest assured, we're committed to this and grateful for your continued support and understanding.

Best regards from your mailbox.org-Team!

photo
5

Hi mailbox.org-Team,

any updates on this?

Thanks!

photo
3

Hi,

I am currently in the trial period, evaluating the service to create 2 accounts on mailbox.org with several custom domains. So far the tests were very satisfactory, but this problem makes me think about looking for other alternatives because it is an unacceptable security flaw. Any realistic solution plan? Because it has been more than 4 years since it was reported and it is still unsolved.

photo
3

This is becoming more and more pressing, due to the upcoming DMARC requirement for large-volume email being enforced by some major email providers starting tomorrow. Those of us who don't send thousands of emails per day are okay for now, but the rumor mill seems to imply that won't be the case for very long.


Here's Google's information on the topic.

Here's Yahoo/AOL's blog post.

Sorry, I don't have German primary sources for this information, though there are a few third-party blog posts.

photo
5

Is there any update, or timeline for the problem to be fixed?

photo
2

Can we please get an update about the current status in this topic?

photo
1

Are there any updates on this? E-mails that fail DMARC and DKIM are not flagged or put in junk when DMARC policy is "quarantine", and this is a big deal. E-mail spoof tests show that you do not respect DMARC policies set by the domain DNS records.

photo
2

For those interested, people are discussing this elsewhere: https://discuss.privacyguides.net/t/remove-mailbox-org/20232

photo
3

This is also deeply concerning for me. My domain now gets an F rating from https://emailspooftest.com. Unauthenticated email sent from my own domain to me, despite my quarantine DMARC policy, appears right in my inbox!


Making me rethink the switch I made to your platform. Crazy.

photo
1

It's disappointing that Mailbox.org's blog post today promotes its custom domains (Email address with your custom domain: introduction and tips), yet this serious issue has continued to go unaddressed, with very little communication other than occasional reassurances that it's being worked on, for years. I'll be moving off this platform.

Leave a Comment
 
Attach a file