“New users can only put 2 links in a post” - would’ve been great to know before I wrote all this. I just post the source then. Ban me or whatever if this is against the rules. After all this work I really don’t care 
<mod edit: restored original post below>
@d2d and others already said most of what I’m going to write, but just to try to summarize and clarify the situation in relation to the initial post of this thread:
Outgoing mail of mailbox.org users (the not existing problem)
Sending via mailbox.org mail server
- It is not possible for a mailbox.org user to send mails as another existing user via mailbox.org’s mail servers.
-
("As another user" meaning FROM address being mail address of the other user)
-
- It is not possible for a mailbox.org user to send mails from another user’s custom domain via mailbox.org’s mail servers.
-
(“from another user’s custom domain” meaning FROM address being xyz@another-users-custom-domain.com)
-
Source: I have a mailbox.org account with custom domains set up and created a second mailbox.org account to test the two scenarios. (Also other people in this thread stated this already)
My SMTP logs (censored)
Sending mail via mailbox.org’s mail server with FROM-address being another existing user’s mail address
$ openssl s_client -starttls smtp -connect smtp.mailbox.org:587 -crlf -quiet
Connecting to 185.97.174.196
depth=2 C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G2
verify return:1
depth=1 C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1
verify return:1
depth=0 CN=*.mailbox.org
verify return:1
250 CHUNKING
EHLO mailbox.org
250-smtp202.mailbox.org
250-PIPELINING
250-SIZE 143699726
250-ETRN
250-AUTH PLAIN LOGIN XOAUTH2 OAUTHBEARER
250-AUTH=PLAIN LOGIN XOAUTH2 OAUTHBEARER
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 CHUNKING
AUTH LOGIN
334 VXNlcm5hbWU6 (== ‘Username:’ in base64)
[account2-user] (base64-encoded)
334 UGFzc3dvcmQ6 (== ‘Password:’ in base64)
[account2-password] (base64-encoded)
235 2.7.0 Authentication successful
MAIL FROM:account1@mailbox.org
250 2.1.0 Ok
RCPT TO:my-gmail-account@gmail.com
553 5.7.1 account1@mailbox.org: Sender address rejected: not owned by user account2-user@mailbox.org
Sending mail via mailbox.org’s mail server with domain in FROM-address being another existing user’s custom domain
$ openssl s_client -starttls smtp -connect smtp.mailbox.org:587 -crlf -quiet
Connecting to 185.97.174.196
depth=2 C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G2
verify return:1
depth=1 C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1
verify return:1
depth=0 CN=*.mailbox.org
verify return:1
250 CHUNKING
EHLO my-custom-domain-of-account1.com
250-smtp102.mailbox.org
250-PIPELINING
250-SIZE 143699726
250-ETRN
250-AUTH PLAIN LOGIN XOAUTH2 OAUTHBEARER
250-AUTH=PLAIN LOGIN XOAUTH2 OAUTHBEARER
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 CHUNKING
AUTH LOGIN
334 VXNlcm5hbWU6 (== ‘Username:’ in base64)
[account2-user] (base64-encoded)
334 UGFzc3dvcmQ6 (== ‘Password:’ in base64)
[account2-password] (base64-encoded)
235 2.7.0 Authentication successful
MAIL FROM:mail@my-custom-domain-of-account1.com
250 2.1.0 Ok
RCPT TO:my-gmail-account@gmail.com
553 5.7.1 mail@my-custom-domain-of-account1.com: Sender address rejected: not owned by user account2-user@mailbox.org
Mailbox.org’s support of SPF, DMARC and DKIM
- SPF, DMARC and DKIM for outgoing mail of mailbox.org users are working as intended.
- If other people will receive emails spoofing/faking your email address depends on the mail server of the recipient.
Source: SPF, DMARC/DKIM working for outgoing mail I verified a lot when setting it up maybe 1 or 2 years ago, I also verified a few times since then, and it’s been working as expected ever since.
Incoming mail to mailbox.org users (the actual problem)
- It seems like mailbox.org often does not respect dmarc policies like quarantine (set by the sender or sender’s mail provider) and still delivers to mailbox.org users’ inbox - as multiple other users here I can also confirm this. They say they do take it into account though:
Additionally, SPF settings are being honored and DMARC settings are a huge factor in our spam recognition. While we don’t honor DMARC at a 100% right now, we do take it into account. [mailbox.org Support, 2023-06-28]
- It seems to me they decided to not fully honor DMARC policies, but still take it into account when “calculating” if incoming mail is spam or not.
- It seems like they err a bit too much on the “not spam”-side when SPF, DMARC/DKIM come into play. As far as I know that is not unique to mailbox.org though? But I don’t have proof for that
- It seems like they err a bit too much on the “not spam”-side when SPF, DMARC/DKIM come into play. As far as I know that is not unique to mailbox.org though? But I don’t have proof for that
- I wonder why they say SPF settings are being honored (in comparison to dmarc being “not honored 100%”). The emailspooftest.com results seem to indicate SPF fails also don’t lead to mails being delivered to junk folder. I dunno, the linked post is not very clear on that.
I think they should honor dmarc “more” (maybe even 100%, but let’s not get crazy here). While it obviously doesn’t affect outgoing mail, it makes mailbox.org users a lot more susceptible to phishing and similar attacks.
I hope this post helps people that are not that deep into this topic. To the other ones: feel free to correct me if I got something wrong 