Spoofing protection (again)
Hello. Thanks to this email tester I uncovered, that the Mailbox.org doesn't check SPF, DKIM, and DMARC records, which is terrible and may lead to dire consequences if I wouldn't constantly check the original headers of each letter.
I have turned on every possible protection to strict mode on my custom domain, even copied and changed SPF record to make it stricter:
v=spf1 ip4:213.203.238.0/25 ip4:195.10.208.0/24 ip4:91.198.250.0/24 ip4:80.241.56.0/21 ip6:2001:67c:2050::/48 ip4:80.241.60.0/24 mx -all
But again, some server was still able to spoof my domain and sent a letter to me in the form of "Boss <boss@mydomain.com>", pretending to have rights to send letters from my domain. After I checked the headers, I realized that the Mailbox.org completely doesn't check SPF, DKIM, and DMARC records.
My question is, why a paid mail service hasn't implemented phishing protection, like did the free mail services Protonmail, Tutanota, Gmail, and others?
Please, do not refer to German sources, articles and videos - I'm an international customer with English language proficiency.
Hi there,
thanks for this hint.
We are investigating this issue and come back to you.
Generally we do not recommend setting SPF records to strict (-all).
Best regards
mailbox.org support has answered this question here (in German though):
https://userforum.mailbox.org/topic/5349-wertet-mailbox-org-dkimdmarc-nicht-aus#comment-22406
It would be nice if the support team could provide an English translation of that answer here. If they delay though and you can't understand the answer after using a translation tool, then reply to this comment and I can translate it for you myself.
The question is basically about the setting "DMARC p=reject" or "p=none" on our servers. DMARC combines the checks of SPF and DKIM. If you use your own domain, you can configure this setting by yourself as per this guide (lower part).
Here's a translation of the original text by our CEO Peer Heinlein:
Thank you mailbox team for acknowledging the ticket and starting working on it!
Can't wait to see the changes!
Please take note of this scheduled change that addresses the formerly mentioned scenario.
https://mailbox.org/en/post/security-adjustment-and-deactivation-of-certain-mail-functions
Replies have been locked on this page!