In response to my post about Mailbox.org potentially having issues in implementing anti-spoofing for custom domains, there is a demand to know the anti-spoofing capabilities of all of the email providers recommended by privacyguides, including Proton, Tuta, and Mailbox.
I don’t have a custom domain or understand the anti-spoofing technology, but I’m hoping those who do can do the tests and provide clarity on whether each of the providers protect users from having their email aliases, whether using generic or custom domain, from being spoofed.
From the other similar thread about concerns to mailbox.org, I did a test on emailspooftest.com and I asked Proton for clarification. Test number 5 and 9 failed with errors and below is the Proton’s reply.
You can safely ignore all the errors listed on the Email Spoof Test website. Details will be explained below.
1. Proton marks the following emails as spam:
(1) Emails that fail to pass the sender’s anti-spoofing (DMARC) "Quarantine " or "Reject " policy. (2) Emails that contain spam, phishing, or other malicious elements.
2. Why didn’t Proton reject or mark some Spoof Test emails as spam?
Emails from <emailspooftest.com>: - This is a legit email that has passed DMARC authentication. - It does not contain any common bad elements and should be delivered to the inbox.
Emails from <garbage**.com> and <verybad.badspf.com>:*** - Proton does not mark emails as spam simply because the domain does not exist, as some legit platforms intentionally send email notifications from the non-existent subdomain to prevent people from sending replies to the No-Reply/Do-Not-Reply mailbox. - This email did not contain any common bad elements and should be delivered to the inbox.
Emails from <badspf.com>: - Proton does not mark emails as spam simply because the email fails to pass SPF authentication, as SPF needs to be used with DKIM and DMARC authentication to achieve a lower false-positive rate. - This email did not contain any common bad elements and should be delivered to the inbox.
Emails from <baddkim.com> and your own custom domain: - Due to massive user complaints, Proton has adopted an alternative solution for the DMARC “Reject” policy. We mark those emails as spam and add a warning banner, so Proton users can see those emails and inform the senders (the mailing list platforms) to fix their SPF and DKIM settings. - This is an expected result, not an error.
Thank you, but I must admit I’m confused about these tests. It seems they are testing Proton’s capability in detecting spoofed emails.
This is separate (I think) from the question I am interested in, and which I highlighted in the prior post.
My question is whether email providers allow a user to send email from mail@customdomain even if such user did not register such email address/domain, as long as another user of the same email provider did register such email address/domain?
And as a secondary question, if the legitimate owner of such email address/domain sends mail to others, will it pass standard anti-spoof tests or will it be rejected or marked as spam?
If the emailspooftest.com answers these questions, I think there needs to be an explanation.
Otherwise, I think it may need to be tested manually. I’m not sure if there is an easier solution, but this is what I have in mind. Let’s say I own a custom domain and have it setup with mailbox (or tuta/proton). I should then setup a new mailbox account and try to send mail from the custom domain I own, without properly setting it up (I presume there are some sensitive code which only the owner of a domain has access to, and which is used to ‘properly set up’ with an email service provider)
behavior of a configured personal domain through Proton
1. Proton marks the following emails as spam:
(1) Emails that fail to pass the sender’s anti-spoofing (DMARC) "Quarantine " or "Reject " policy. (2) Emails that contain spam, phishing, or other malicious elements.
2. Why didn’t Proton reject or mark some Spoof Test emails as spam?
Emails from <emailspooftest.com >: - This is a legit email that has passed DMARC authentication. - It does not contain any common bad elements and should be delivered to the inbox.
Emails from <garbage**.com> and <verybad.badspf.com >:*** - Proton does not mark emails as spam simply because the domain does not exist, as some legit platforms intentionally send email notifications from the non-existent subdomain to prevent people from sending replies to the No-Reply/Do-Not-Reply mailbox. - This email did not contain any common bad elements and should be delivered to the inbox.
Emails from <badspf.com>: - Proton does not mark emails as spam simply because the email fails to pass SPF authentication, as SPF needs to be used with DKIM and DMARC authentication to achieve a lower false-positive rate. - This email did not contain any common bad elements and should be delivered to the inbox.
Emails from <baddkim.com> and your own custom domain: - Due to massive user complaints, Proton has adopted an alternative solution for the DMARC “Reject” policy. We mark those emails as spam and add a warning banner, so Proton users can see those emails and inform the senders (the mailing list platforms) to fix their SPF and DKIM settings.
I can confirm this, I checked my own domain.
The configuration is done properly and Proton approves it in the panel of the personal account.
I additionally consulted with a specialist from 1984.hosting