I think that is not up to date. Mailbox publishes DKIM records: https://kb.mailbox.org/en/private/custom-domains/spf-dkim-an...
replySPF is here https://kb.mailbox.org/en/private/custom-domains/spf-dkim-an...
DMARC is up to the domain owner to set.
Lack of records isn't the issue. You authorize mailbox's servers to send on behalf of your domain. Then they let anyone with a mailbox account set the from to your domain.
replyI see, so their SMTP authentication is woefully broken and they let anybody who can send an e-mail from their SMTP server to put anything in From: ? That's rather hard to believe. The defaults of most SMTP servers like Postfix prevent that. Since I don't want to get banned I don't really want to test that option with their SMTP server.
replyI took the https://emailspooftest.com/ and while the "spoof" mail gets delivered to mailbox.org's Inbox, my Thunderbird client is all red and it warns me about DKIM and SPF fails.
I think on the sending side, being able to send from others’ addresses is fixed by now: https://userforum-en.mailbox.org/topic/anti-spoofing-for-cus...
replyBut it definitely used to be possible, I tried once with success.
Anti spoofing for incoming mails was not perfect the last time I checked either, but is a different issue.
For incoming mail, your client should check regardless of the server provider. On Thunderbird I have this extension: https://github.com/mcortt/EagleEye . It checks for any SPF, DKIM and DMARC fails and shows a banner. SPF/DKIM/DMARC is minimum and pretty useless against spam though. All phishing e-mails in my GMail account have impeccable SPF/DKIM records.
replyOof, what a drag
reply