Welcome to the mailbox.org user forum!

Spoofing protection (again)

4092220 shared this problem 28 days ago

Hello. Thanks to this email tester I uncovered, that the Mailbox.org doesn't check SPF, DKIM, and DMARC records, which is terrible and may lead to dire consequences if I wouldn't constantly check the original headers of each letter.

I have turned on every possible protection to strict mode on my custom domain, even copied and changed SPF record to make it stricter:

v=spf1 ip4: ip4: ip4: ip4: ip6:2001:67c:2050::/48 ip4: mx -all

But again, some server was still able to spoof my domain and sent a letter to me in the form of "Boss <boss@mydomain.com>", pretending to have rights to send letters from my domain. After I checked the headers, I realized that the Mailbox.org completely doesn't check SPF, DKIM, and DMARC records.

My question is, why a paid mail service hasn't implemented phishing protection, like did the free mail services Protonmail, Tutanota, Gmail, and others?

Please, do not refer to German sources, articles and videos - I'm an international customer with English language proficiency.

Comments (1)


Hi there,

thanks for this hint.

We are investigating this issue and come back to you.

Generally we do not recommend setting SPF records to strict (-all).

Best regards


Hi support,

Following this topic as I'm also interested/concerned about anti-spoofing protection.

I think what Protonmail does in this instance is very useful, see:


So when an email fails DKIM/SPF checks, a warning is shown to users.

PS: I've reproduced the issue from the original post even when my domain uses ~all instead of -all.


Thank you, and I'm aware about -all but the source of this information was fully in German. I struggled with Google Translate, but understood a little. If you do have an English language source, please, provide it in this thread.


I'm using Mozilla Thunderbird 78 on Windows and Fastmail on Android. Yes, I can install additional plugins for Thunderbird to check DKIM, SPF and DMARC, but these checks should be done by an Email Security Gateway.

Moreover, by default, the DMARC policy is not enabled for mailbox.org and only 50% of emails would be affected by DMARC policy.

The MTA-STS policy is in testing mode , I have a custom domain, so I'm able to provide my own policies, but by default it is practically off.