-> Its an absolute basic feature of an mail provider. I would rather have a solid app from my mail provider than let another party read my mails.
Not sure what you mean but it seems that you can change a setting so that it doesn’t reject spam mails but puts them in a spam folder instead
-> nope, this does not fix the issue. Even when setting the Spam filter as weak as possible Mailbox will still reject emails without notifying the user (lots of reports in the userforum)
TOTP is good enough for most people
-> Probably yes, but we are talking about privacy and security oriented people and yubikey is often considered as the best 2FA method. Also do you now any other service that does not offer recovery codes when using TOTP? I dont
Although to be fair this was 8 years ago and is no longer the case but I want to mention it anyway to prove my point that mailbox has serious issues regarding security and privacy.
mailbox offered to store your private key on their server
Frontpage of mailbox is wordpress
Roughly translated: I’ve got all the user sessions from 2016 in front of me right now — and not because I’m doing any shady hacker stuff, but because the debug log is publicly readable on the server and it’s outputting a broken SQL query
„Mailbox is still the best email provider that supports third party email clients“
„Mailbox is the best in its class“
„Still, Mailbox is the best for the average user.“
How can you seriously still claim something like that after all those arguments?
I stand by what I said. As in IMAP, privacy-focused providers, yes Mailbox is the best in its class. I am not putting Proton in the same class. They are fundamentally different. If you intend to commit crimes and circumvent governments, then yes go with Proton. It all depends on your threat model. For the average user, Mailbox is one of the best.
Not on mobile. The bridge thing is a pretty lame bandaid for the lack of support. This is where Mailbox does well because you can also have e2ee with openpgp but also supports caldav, carddav, and webdav (use with Cryptomator).
It’s not widely supported. Outside of Gmail, Outlook, and Zoho I don’t know of other providers that do this (not sure about Tuta/Proton). App-passwords and similar notifications are also less useful than they sound unless they’re sent to a recovery address you actively monitor (not a given for a service that doesn’t require an email address to sign up).
Nevertheless, they could do a lot better. The more you use it, the more it feels borderline insecure email service, with privacy gimmicks piled on top. Yes, they allow you to upload your public key, but they don’t properly implement anti-spoofing measures. It’s crazy that people are ditching Gmail for this, if you think about it. I wouldn’t go so far as to call it an irresponsible recommendation, but the trade-offs versus the status quo are substantial, and people are typically not aware of them.
It’s crazy that people are ditching Gmail for this
Not at all. Its a choice you have to make. Give up your rights for a false sense of security, and have all of your emails read by algorithms, ai and any engineers at Google to sell you junk online, or use Mailbox.
Its becoming clear that there are different segments of this privacy forum. There are individuals who just want a relatively secure email (gmail), people who want privacy from governments (proton), and a middle-ground group that wants the convenience of what they’re used to but with privacy from big tech (mailbox).
I don’t mean to defend Google, but I’ll go out on a limb and say your email contents are likely safer with Google than with an outfit like mailbox and can be accessed by far fewer people, too. They don’t profile you on Gmail content anymore (same for Outlook), and the privacy settings they expose seem sufficient to limit much of the other nonsense they shove at you. Proton would have been a better example as it’s zero-knowledge out of the box.
I’d love a good, standards-compliant, no-nonsense email provider that covers the basics and more, the middle ground, as you call it, but this isn’t it.
If you’re willing to go on a limb, I also have a bridge to sell. I shouldn’t have to bring up the fact that Google has had lawsuits filed against them and found guilty of collecting user data even in incognito mode. So yeah, I am sure that ai bot summarizing my emails is not collecting any information
If you mean probability that random employee will take a look at my emails - yes, it’s higher with smaller providers who have actual people working there. If you mean access to gathered, sorted and analyzed content of my emails, which is that shared with their 1253 partners who care about my privacy - than chances google (microsoft, yahoo, yandex…) will do that are way higher.
When it comes to security, I also assume Google (MS and others) is always on high alert, but it is also bigger target. Also smaller, but trustworthy providers are for sure capable of keeping their services safe. Better than I would do, if I were selfhosting it.
Regarding Mailbox,org, I agree IMAP password reset is possible vulnerability, but if user can deactivate it, than it is OK. Should it be off by default - I’m not sure, and for me, it’s not a big deal.
I meant employees at Google having access to Gmail contents of individual users. I don’t doubt their capacity for duplicity or for misconfiguration issues whereby the data you think isn’t being collected actually is (Many such cases!). I still think you’re better off with them than with mailbox, or at least with a proper middle‑ground provider such as Fastmail (jurisdiction questions aside) that can clearly explain their technological (and other) choices.
I’ve been a mailbox customer long enough to remember they gaslighted people who pointed out their 2FA was silly, only to eventually cave and provide a standard implementation as if nothing had happened. Suddenly, 2FA “offers a way to reliably secure access to your mailbox account” instead of the insane shared‑computer scenario they previously cocked up to justify their weak 2FA choices before their knowledge base was redone. This makes them look ideological, which implies incompetence, and I’m tired of people recommending them with a straight face.
I’m not, by the way, a Gmail user, and I don’t use Google services, except for maintaining a Google account to access Play Store apps on my GrapheneOS device and for watching some YouTube.
Mailbox straight up ignores SPF and DMARC Records of incoming mails is a serious threat in my opinion, this also contradicts with their own claims.
Further up, there are already some people who have shared their observations on this, and I was able to replicate these results.
I received every email from every domain I spoofed and sent with https://emkei.cz/ and others.
In this press realease they claim that they are implementing DMARC [..] SPF as defined in TR-03182 „E-Mail-Authentifizierung".
To comply a M(ail)H(andling)S(ervice) has to comply with:
4.1.2 SPF Verification
[…] If it is not authorized and the sending domain’s SPF policy requires Fail, the MHS SHOULD implement the instruction according to the sending domain’s SPF policy. […] 4.1.7 Verifying DMARC
[…] If a DMARC policy already exists, the MHS MUST check the policy. If there is a DMARC policy violation, the MHS SHOULD handle the message according to the DMARC policy of the sending domain. If the MHS deviates from the processing specifications, e.g., using local-overrides, the operator MUST justify and document this […]
And what exactly does mailbox.org’s spam filter do, other than sit back and watch emails land in the inbox as if everything were perfectly normal?
However, the criteria of privacy guides do not help resolving this issue:
Must have a proper DMARC record and policy or use ARC for authentication.
What about verify for incoming mails?
Must support viewing of message headers, as it is a crucial forensic feature to determine if an email is a phishing attempt.
Who checks the headers of every email for SPF and DMARC compliance because their (by privacyguides recommended) receiving mail service is not honoring SPF and DMARC?
How and when will a decision be made? There are a lot of reasons in this (and in other threads) for removing the service from the recommendations (at least until the drasticly improve and fix their problems). Some members of Privacy Guide already shared their frustration, but how do you proceed?
I’ll be honest, I don’t really care if it’s removed or not, but it seems like they are addressing all the significant* concerns, no? Or is the standard that any mistakes at any time will result in removing a recommendation?
I also see it as a really good alternative to Proton and Tuta because it allows you to bring your own keys and integrates very well with standard IMAP clients when using as such so it would be at least a little bit of a shame to remove it.
*I personally don’t think strict DMARC adherence is a significant concern for a privacy-based recommendation
No that would be ridicolous. But removing a service that makes dozens of mistakes without providing any advantages over competitors (or even be on the same level) is valid.
Unless there is some aspect I am missing this seems to be at least partially mitigable using the sieve filter feature they provide. An “Authentication-Results” header seems to be getting added on the incoming mail, which identifies bad spf/dkim/dmarc results, and that be checked in a sieve filter like so:
It’s not great that they aren’t handling it by default, but it seems to be possible to do something yourself. My naive filters just stick anything marked spf=fail, spf=softfail, dkim=fail, or dmarc=fail into spam, a more complex set of filters may be able to handle it more appropriately.
„See this just feels dishonest. I literally just explained a fairly important one in the post you’re replying to“
Yes you are right, they have the option to use a custom domain and they offer IMAP and other standards. Those are fair advantages. But those do not make them stand out since e.g. Fastmail offers them as well but has more and better features, while not having any major security problems.
„What are the “dozens” of mistakes Mailbox has made? I’ve seen like 3 at most.“
I feel like this is a good moment to summarize again and outline why this service NEEDS to be removed:
Enabling a password reset via IMAP that fully resets strong passwords AND 2FA. Not by Mistake but instead with full intention and also only giving the option to deactivate this feature after many angry users complained. This vulnerability is still enabled by default!
Emails from catch-all accounts belonging to other mailboxes of the same domain were visible in other users’ inboxes
Having a debuglog publicy available that exposed user sessions
Offering to store private key on mailbox servers
Even after the 2FA-Beta AND after configuring the Application Passwords the main password was still valid to use for applications
Citation from today: „In summary, as of today December 8th, 2025, the challenge with Mailbox.Org Business email services is that it is still VERY WEAK SECURITY. Why? Because there is NO 2FA on the Business ADMINISTRATOR account. The activated 2FA is only for the Business USER accounts. This is a major security risk. Why? Because the ADMINISTRATOR account controls both the domain DNS records, and all USER accounts usernames and passwords. In turn, this ADMINISTRATOR account has access to all USER accounts and their other data. In other words, someone with Evil behaviors could hack or abuse the ADMINISTRATOR account, then access all USER accounts data. I do appreciated Mailbox.Org team efforts to improve their security for Business accounts. While at the same time, in comparison to other Business email hosting suppliers, for the past 6 years, Mailbox.Org Business services are still VERY WEAK security“ https://userforum-en.mailbox.org/topic/lets-talk-about-2fa-on-this-website-again
All of those security issues while being behind almost all other competitors regarding helpful Features: no App, no Push notification, no Spam Log, no detailed privacy or security dashboard, no notifcation when having a new login etc, no yubikey support, no dark mode, no recovery codes for 2FA, etc.
Absolutely no transparency: they dont offer any roadmap with upcoming feature and never state (not even roughly) when a feature will come or when a problem be fixed. Just take a look at the mailbox userforum.
Still providers that completely reject mailbox emails (e.g. twitch, soundcloud)
No anti spoofing for Custom domains despite the topic being open since over 9 years.
Extremely slow developing time e.g. previous point or even the 2FA that took until 2025. All other competitors had this for YEARS.
Overall attitude issue: the CEO gaslit users that critized the absolute unusable previous implementation of 2FA. Support often dismisses fair critique points and comes of as arrogant (lots of reports about this, I can add some sources if needed.)
And the list would go on but this is enough to outline the current state of mailbox, why its disadvantages far outweigh its few advantages and why this provider should not be recommended anymore.
