[brightball]

If you’re using DMARC the from and the DKIM signature must be aligned or it doesn’t pass. Simply passing any DKIM check isn’t enough.

[upofadown]

Mailbox.org has a DMARC policy of "reject". So receivers that enforced DMARC and did "domain alignment" would reject the email. Does that make what mailbox.org does with the "From:" address OK?

[brightball]

Not if they are still signing it with the private key for the domain.

If an email is sent with a From of @bob.com and DKIM signed using the private key for bob.com…it’s from bob.com.