Whatever the specifics, Mailbox is not transparent about its DMARC policy:
Additionally, SPF settings are being honored and DMARC settings are a huge factor in our spam recognition. While we don’t honor DMARC at a 100% right now, we do take it into account
It also seems their open PGP support is limited to the main account, not aliases and custom domains:
Note: The mailbox.org Guard is designed to work with your main email address. It is not intended to be used in combination with aliases.
And
Users need to hand over their private PGP keys to be stored on our servers.
…
However, one might argue that encryption keys, which remain password-protected as they sit on our infrastructure, are probably stored more safely and securely with us than on a private PC or smartphone.
Security experts like M. Cardwell have explicitly warned users to not store or use their private OpenPGP keys on devices that are not secure (like smartphones).
Who the f*ck is M. Cardwell? It could be Edward Snowden for all I care, it is still an appeal to authority rather than actual reasoning.
Their guide/FAQ is ridiculously long-winded and complicated, packed with pointless sentences like the above.
According to their user forums, their support often does answer emails, or are very slow.
As mentioned already, their CEO sometimes answers users in the forums, and in a way which absolutely does not give me a sense of trust and professionalism. This was his response to the unanimous call from his clientelle to use standardized 2FA instead of his confusing alternative:
I’m sorry, but it’s not equal secure. It’s much much much more INsecure. It is. It is. It is insecure. It is. Totally. Really. Yes. It is.