Looks like some decent improvements.
I tried mailbox.org a while back, but found the general interface and overall experience to be mediocre.
I’ll have another look to see how the experience is in 2025.
Finally! The previous 2FA solution was really outdated and user-unfriendly.
Now with App passwords and the new 2FA I think they cover pretty much all recommended/necessary security feature for an email provider.
Or am I missing something?
They are still not respecting DMARC
What consequences/risks does this bring?
if true that they’re not respecting dmarc, this does have an effect on how other email providers treat it, for the most part your mailbox email would go to spam.
There are no consequences for how other email providers treat your emails from mailbox.org. Their DMARC record and other settings for outgoing mail are set appropriately.
It’s their incoming spam filters which don’t 100% respect DMARC records, meaning you could receive spoofed emails in your inbox that aren’t blocked or marked as spam.
how can i detect spoofed email, if its not filtered by mailbox🤔. sorry i am not aware all email security terms.
it will be a daunting task you would have to compare the sender of the email with the dns records manually. It will simply not work imho.
With this being the case is mailbox still recommended? Looking for a new provider myself.
What are you referring to? Login 2.0 or DMARC record checks? If you’re talking about the latter, well DMARC is a just a signal how an email should be treated. In an ideal world you just do whatever the record tells you. In the real world people misconfigure their stuff, but you still want to receive emails from them. So you have to weigh strict compliance with availability, so Mailbox.org not blindly treating someone else’s DMARC records as gospel could be an overall plus depending on the situation. We’re after all not talking about them just accepting all kinds of email, they’re having a lot of systems in place to curb on spam and spoofing (and tbh when I personally tried them in the past, I found them to be a bit too protective for my own liking, but there’s some personal preference when it comes to whatever you consider proper email handling).
Long story short, I don’t see why this singular information should affect the recommendation, as long as overall they do a good job sorting ham from spam, protecting the user while ensuring important emails still end up in your mailbox. To assess this, you need to look at the situation comprehensively imo. (I’m not currently using any of the recommended email providers so I don’t have a horse in this at all.)
DMARC should be followed nonetheless. I feel like you’re missing the point of DMARC. DMARC role is to protect every person involved: companies from impersonation and subscribers from phishing.
Your argument could go further: why does an email provider respect authentication like SPF and DKIM? Someone might misconfigure them, so let’s deliver it to the inbox anyway! Do you see? Specifications should be followed, DMARC is no exception. Microsoft, Gmail and Yahoo! are respecting DMARC as well - why wouldn’t they if the specification was invented to protect everyone?
Also, Gmail, Yahoo and Microsoft are requiring every bulk sender to have a DMARC record set under sending domain. It’s a requirement, not a bonus step anymore.
DMARC is great, and Mailbox should really question their priorities and be fixing this DMARC mess immediately.
If you want to learn more about DMARC, the RFC is great place to start:
Been using mailbox.org for 6 months or so. Its been flawless as far as my workload requires 
Trust me I’ve read through all email-related RFCs (and many others). But reading your comment I’m not sure what point you’re trying to argue.
DMARC should be followed nonetheless. I feel like you’re missing the point of DMARC. DMARC role is to protect every person involved: companies from impersonation and subscribers from phishing.
Sorry but your argument for “following DMARC whatsoever” is just that it’s a technology intended to protect everyone? I don’t think anybody ever questioned that DMARC is intended to improve email security. Doesn’t mean it’s always flawless.
Your argument could go further: why does an email provider respect authentication like SPF and DKIM? Someone might misconfigure them, so let’s deliver it to the inbox anyway! Do you see?
Yes. I would argue that of course. I’m however not saying every email ever should get delivered to the user Inbox without any filtering. Not sure where you got that from.
Microsoft, Gmail and Yahoo! are respecting DMARC as well - why wouldn’t they if the specification was invented to protect everyone?
Again, the specification’s intent is almost irrelevant. What matters is if that goal is actually achieved. And where’s your data on how accurately the big players you mentioned are adhering to DMARC policies? But yeah let’s say they all do that, would still just be an argument to authority.
Also, Gmail, Yahoo and Microsoft are requiring every bulk sender to have a DMARC record set under sending domain. It’s a requirement, not a bonus step anymore.
Yes. So? Irrelevant to the topic at hand because it was never about sending, only receiving. Mailbox.org of course has a DMARC record setup for their domains (not sure if they permit any bulk sending, but whatever).
DMARC is great, and Mailbox should really question their priorities and be fixing this DMARC mess immediately.
I agree overall it’s a great technology, especially because it allows some great monitoring of email flow and whether outgoing mail is blocked etc., but where is the mess? Mailbox.org uses DMARC already, but even your “holy” RFC plainly lists some shortcomings, especially for users of mailing lists. What’s so wrong about the fact that an email provider might try to alleviate these? It’s not like Mailbox.org users get any discernible higher amount of spam/phishing (again, I don’t use it anymore but a few years back I found the filters to be generally quite restrictive, so from personal experience I would say this is just not an issue with this provider).
I don’t have any useful knowledge about the DMARC question, but I appreciate that it’s being discussed since I’ve been curious/concerned about it for awhile.
Other than the mailbox.org’s klunky web interface (which I rarely use), the DMARC question has been pretty much the only concern I have with the service. I’ve used it for about 5 years and been happy with it. Looking forward to the rollout of the new login 2.0.