Remove Mailbox.org

Yes except they recycle their domain.

Further reason to remove Mailbox.org is its weird implementation of 2FA. It requires you to change your password to a four character pin, and then add the 2FA code to the end of the password when logging in.

A couple months of ago they released a BETA version with normal 2FA. But this was 5+ years of demands for change, during which, the CEO responded to users in a most dismissive, arrogant, and unprofessional way, saying

I’m sorry, but it’s not equal secure. It’s much much much more INsecure. It is. It is. It is insecure. It is. Totally. Really. Yes. It is.

It seems Posteo is more trusted and respected in German forums. Their communications are far more transparent and clear.

There is no justification for the inclusion of Mailbox.org but not Posteo. The only significant thing separating them is the custom domain feature. It Mailbox.org isn’t implementing it in a secure way, it needs to be removed. Posteo may be right in refusing to implement it to maintain their high privacy/security standards.

Anyway, custom domain only provide agency to the user if they purchase a domain themselves, rather hire it from a proxy. This necessarily involves sacrificing anonymity. Privacy and anonymity are not the same, but much of the site is catered toward anonymous use of internet/services, and therefore readers of the guide should be aware of this limitation of custom domains, and providers which do not provide this feature should not, by default, be excluded.

All things considered, I think all anti-spoofing measures of all the privacyguides email recommendations need to be tested, for both generic and custom domains.

If Mailbox.org fails, then it must be removed. If all fail, the recommendation to use custom domains must be adjusted, and the requirement must be waived (and equally private/secure providers included in recommendation).

I just want to point out, that according to the reddit link you shared, It was (at least until 2018, dont know if they fixed it) possible to gain access to the debuglog because of some broken sql-query. This is a claim that I cant verify, so make your own opinion about it.

For me this one is unlikely to make too much of a difference as I’m the only user of the domain.

So basically anyone who uses your custom domain can impersonate other users of the custom domain? This is far less significant than the claim made in the Mailbox forum, that users of a Mailbox can impersonate other users of Mailbox.

But I don’t understand how this emailspoofing test is testing for this. It seems more like a test for detecting how a provider detects spoofed mail, rather than a providers capability in preventing its users from spoofing the identity of other users.

I wonder how other providers we recommend compare.

I setup a separate thread to compare this (as comparisons in this thread were removed my moderator).

I have a custom domain with them. I have SPF, DKIM, and DMARC records set with DMARC p=quarantine. I also have DNSSEC enabled for my domain. Mail-tester gives me 10/10 so sending e-mails with my custom domain are highly unlikely to be considered spam. However, emailspooftest.com gives me F in 2 vectors. It seems like mailbox.org doesn’t respect SPF and DKIM failure and consequently, DMARC misalignments. It’s very easy for someone to impersonate my e-mail domain because of this. DMARC p=quarantine should flag the e-mails that have failed SPF or DKIM, and should put them in the junk folder. I also agree that mailbox.org should immediately address this issue.

These are the results of emailspooftest:
|Deliverability test - Validated:|Grade: A|
|Fake subdomain protection - Enforced:|Grade: A|
|BEC fake insider protection - Vulnerable|Grade: F|
|Look-a-like protection - Enforced:|Grade: A|
|Domain attack protection - Vulnerable:|Grade: F|
|Subdomain attack protection - Enforced:|Grade: A|

Thank you for this. So, to be exact but non-technical, which of the following does this mean:

1. Those with an account with mailbox can send mail from your (@example) domain, without permission?
2. Anyone can send mail from your (@example) domain, without your permission?
3. Those with an account with mailbox can send mail from your full email address (mymail@example) without your permission?
4. Anyone can send mail from your full email address (mymail@example) without your permission?
5. Those with an account with mailbox can send mail from your full email address (mymail@example), and those without an account can send mail from your (@example) domain, without your permission?

I hope this is exact enough LOL. The various tests and technologies are a bit confusing so I want to spell things to out make things easier to understand.

Additionally, does Mailbox generic domains suffer with any of the same problems?

And finally, if somebody does any of 1-5, will the receiving email provider be more likely to mark it as spam than if you legitimately use your own account/domain?

No Mailbox.org user can send an email with a sender address of another Mailbox.org user (no matter if own domain or not). The mail server says: Sender address rejected: not owned by user ...@example.com

In this case I don’t know what the problem is, if any.

Whatever the specifics, Mailbox is not transparent about its DMARC policy:

Additionally, SPF settings are being honored and DMARC settings are a huge factor in our spam recognition. While we don’t honor DMARC at a 100% right now, we do take it into account

It also seems their open PGP support is limited to the main account, not aliases and custom domains:

Note: The mailbox.org Guard is designed to work with your main email address. It is not intended to be used in combination with aliases.

And

Users need to hand over their private PGP keys to be stored on our servers.

…

However, one might argue that encryption keys, which remain password-protected as they sit on our infrastructure, are probably stored more safely and securely with us than on a private PC or smartphone.
Security experts like M. Cardwell have explicitly warned users to not store or use their private OpenPGP keys on devices that are not secure (like smartphones).

Who the f*ck is M. Cardwell? It could be Edward Snowden for all I care, it is still an appeal to authority rather than actual reasoning.

Their guide/FAQ is ridiculously long-winded and complicated, packed with pointless sentences like the above.

According to their user forums, their support often does answer emails, or are very slow.

As mentioned already, their CEO sometimes answers users in the forums, and in a way which absolutely does not give me a sense of trust and professionalism. This was his response to the unanimous call from his clientelle to use standardized 2FA instead of his confusing alternative:

I’m sorry, but it’s not equal secure. It’s much much much more INsecure. It is. It is. It is insecure. It is. Totally. Really. Yes. It is.

“New users can only put 2 links in a post” - would’ve been great to know before I wrote all this. I just post the source then. Ban me or whatever if this is against the rules. After all this work I really don’t care

<mod edit: restored original post below>

@d2d and others already said most of what I’m going to write, but just to try to summarize and clarify the situation in relation to the initial post of this thread:

Outgoing mail of mailbox.org users (the not existing problem)

Sending via mailbox.org mail server

• It is not possible for a mailbox.org user to send mails as another existing user via mailbox.org’s mail servers.

  • ("As another user" meaning FROM address being mail address of the other user)

• It is not possible for a mailbox.org user to send mails from another user’s custom domain via mailbox.org’s mail servers.

  • (“from another user’s custom domain” meaning FROM address being xyz@another-users-custom-domain.com)

Source: I have a mailbox.org account with custom domains set up and created a second mailbox.org account to test the two scenarios. (Also other people in this thread stated this already)

Mailbox.org’s support of SPF, DMARC and DKIM

• SPF, DMARC and DKIM for outgoing mail of mailbox.org users are working as intended.
• If other people will receive emails spoofing/faking your email address depends on the mail server of the recipient.

Source: SPF, DMARC/DKIM working for outgoing mail I verified a lot when setting it up maybe 1 or 2 years ago, I also verified a few times since then, and it’s been working as expected ever since.

Incoming mail to mailbox.org users (the actual problem)

• It seems like mailbox.org often does not respect dmarc policies like quarantine (set by the sender or sender’s mail provider) and still delivers to mailbox.org users’ inbox - as multiple other users here I can also confirm this. They say they do take it into account though:

  Additionally, SPF settings are being honored and DMARC settings are a huge factor in our spam recognition. While we don’t honor DMARC at a 100% right now, we do take it into account. [mailbox.org Support, 2023-06-28]

• It seems to me they decided to not fully honor DMARC policies, but still take it into account when “calculating” if incoming mail is spam or not.
  • It seems like they err a bit too much on the “not spam”-side when SPF, DMARC/DKIM come into play. As far as I know that is not unique to mailbox.org though? But I don’t have proof for that
• I wonder why they say SPF settings are being honored (in comparison to dmarc being “not honored 100%”). The emailspooftest.com results seem to indicate SPF fails also don’t lead to mails being delivered to junk folder. I dunno, the linked post is not very clear on that.

I think they should honor dmarc “more” (maybe even 100%, but let’s not get crazy here). While it obviously doesn’t affect outgoing mail, it makes mailbox.org users a lot more susceptible to phishing and similar attacks.

I hope this post helps people that are not that deep into this topic. To the other ones: feel free to correct me if I got something wrong

@d2d and @Finerdly make clear that initial problem I highlighted is not a problem. Do people think its safe to say that it is resolved? My only doubt is that both accounts seem to have been setup specifically to respond to this post. I think a reproduction of Finerdly’s tests by somebody equally knowledgeable and who is already a contributor to PG would put this issue to bed. (I mean no disrespect @Finerdly thanks for the contribution)

In which case the anti-spoofing problem is merely the following:

1. Mailbox.org does not send some mail to spam which should be sent to spam

2. Mailbox.org are poor at communicating. As stated in OP, I didn’t make up this problem - somebody claimed it in their forum, mailbox.org confirmed it, and never said it was fixed.

This issue was confirmed by Mailbox.org four years ago, with unfulfilled promises to fix it since.

it’s not just a dmarc problem, mailbox.org servers don’t verify either spf or dkim

just try a tool like emkei.cz
on my address @mailbox.org and on my adress @mycustomdomain.com (hosted on mailbox.org) i can receive mail from any domain.

mailbox.org does not only offer a webinterface (like other services!) where we can restrict access and we can forbid any login with password-only. We also offer different/many different services and protocols like SMTP, XMPP and much more (and much more will be added in the future) that must still be open for password-logins. For that, a stolen/sniffed password CAN be used to gain access to different services and accounts.

then use fucking oauth oh my god

They are rolling that out now.

Good point. So far I’ve had no reason to create an account here. In another forum (where I’ve been active for a while) this topic was linked. And because information is missing here that is available in the other forum, I registered here. The message I mentioned from the outgoing mail server can be checked by anyone with an account, so it’s not a secret.

Yes, the communication is not good. To be fair, it’s a forum by users for users (users helping other users) and not a classic support forum.

I use Mailbox.org, Posteo and tuta and haven’t had a bad experience with any of them. Good support (not much contact) and no problems with spam (none or very few and my emails have always arrived including from my own domain. I think all three are good enough to recommend. Of course there is always something to improve here and there, but where is that not the case?