Remove Mailbox.org

Vadim · November 12, 2025, 12:31am

Mailbox.org has several security issues and should be considered for removal as it is advertised to be a secure mailbox solution.

Issues:

Mailbox announced that the user now has the option to deactivate the password reset (and 2FA reset) via IMAP. However, the default setting is that a reset via IMAP is enabled and will reset the password and 2FA. Based on the Support it will stay that way
They don‘t have any security notification or dashboard where you can see sessions, failed logins, recent actions like password changes. No notification when 2FA was activated, when password was changed, when IMAP password has been created etc. unlike Tuta, Fastmail, Proton, etc.
No OAuth or YubiKey support for 2FA
No recovery codes possible for 2FA TOTP
No SPAM/Rejection-Log
Increase of vulnerabilities and minimal response provided by Mailbox team
No roadmap or timeline to implement anti-spoofing for custom domains

Topic		Replies	Views
Email providers anti-spoofing comparison (Proton vs Tuta vs Mailbox.org) General	3	2207	September 11, 2024
Mailbox.org has released Login 2.0 General article	14	2403	July 11, 2025
Posteo (email provider) Tool Suggestions rejected	17	6230	October 9, 2024
Advice needed: Spamhaus blocklisting Njalla domains General	5	653	September 16, 2025
Using Posteo w/a Custom Domain? Questions	9	2066	August 25, 2025