Welcome to the mailbox.org user forum!
 

Spoofing protection (again)

4092220 shared this problem 2 months ago
In Progress

Hello. Thanks to this email tester I uncovered, that the Mailbox.org doesn't check SPF, DKIM, and DMARC records, which is terrible and may lead to dire consequences if I wouldn't constantly check the original headers of each letter.

I have turned on every possible protection to strict mode on my custom domain, even copied and changed SPF record to make it stricter:


v=spf1 ip4:213.203.238.0/25 ip4:195.10.208.0/24 ip4:91.198.250.0/24 ip4:80.241.56.0/21 ip6:2001:67c:2050::/48 ip4:80.241.60.0/24 mx -all


But again, some server was still able to spoof my domain and sent a letter to me in the form of "Boss <boss@mydomain.com>", pretending to have rights to send letters from my domain. After I checked the headers, I realized that the Mailbox.org completely doesn't check SPF, DKIM, and DMARC records.


My question is, why a paid mail service hasn't implemented phishing protection, like did the free mail services Protonmail, Tutanota, Gmail, and others?


Please, do not refer to German sources, articles and videos - I'm an international customer with English language proficiency.

Comments (5)

photo
2

Hi there,

thanks for this hint.

We are investigating this issue and come back to you.

Generally we do not recommend setting SPF records to strict (-all).

Best regards

photo
2

Hi support,

Following this topic as I'm also interested/concerned about anti-spoofing protection.

I think what Protonmail does in this instance is very useful, see:


https://protonmail.com/support/knowledge-base/email-has-failed-its-domains-authentication-requirements-warning/


So when an email fails DKIM/SPF checks, a warning is shown to users.


PS: I've reproduced the issue from the original post even when my domain uses ~all instead of -all.

photo
1

Thank you, and I'm aware about -all but the source of this information was fully in German. I struggled with Google Translate, but understood a little. If you do have an English language source, please, provide it in this thread.

photo
1

I'm using Mozilla Thunderbird 78 on Windows and Fastmail on Android. Yes, I can install additional plugins for Thunderbird to check DKIM, SPF and DMARC, but these checks should be done by an Email Security Gateway.


Moreover, by default, the DMARC policy is not enabled for mailbox.org and only 50% of emails would be affected by DMARC policy.

The MTA-STS policy is in testing mode , I have a custom domain, so I'm able to provide my own policies, but by default it is practically off.

photo
photo
2

mailbox.org support has answered this question here (in German though):


https://userforum.mailbox.org/topic/5349-wertet-mailbox-org-dkimdmarc-nicht-aus#comment-22406

It would be nice if the support team could provide an English translation of that answer here. If they delay though and you can't understand the answer after using a translation tool, then reply to this comment and I can translate it for you myself.

photo
2

The question is basically about the setting "DMARC p=reject" or "p=none" on our servers. DMARC combines the checks of SPF and DKIM. If you use your own domain, you can configure this setting by yourself as per this guide (lower part).


Here's a translation of the original text by our CEO Peer Heinlein:


Putting a hard DKIM policy in place has lead to massive issues in real life. Eventually our users blame us for this (and then cancel their accounts or polemicise about us as an unreliable provider in every "third" forum).

There are still many mailing lists or other constructs where DKIM has not been implemented flawlessly.

A hard DKIM policy would cause a lot of (desired) e-mails not to reach their destination.

This is the fault of others, but we end up being the culprit.

We re-evalute the situation every 6 months and are waiting for the right moment to set the hard DKIM policy live - or well, allow for our users to configure this. However, rejecting hard is a tough one, also compare with the thrashing we were given for our SMTP plausibility check.

photo
1

I see, thank you. It there a way to indicate in a web interface, that this letter has a couple of problems? Like Protonmail company did.

photo
photo
1

Thank you mailbox team for acknowledging the ticket and starting working on it!

Can't wait to see the changes!

photo
2

Please take note of this scheduled change that addresses the formerly mentioned scenario.

https://mailbox.org/en/post/security-adjustment-and-deactivation-of-certain-mail-functions