[15characterslon]

AFAIK they still refuse to acknowledge the problem. But since they deleted the forum thread, how would I know.

What they said in the forum doesn't make much sense. Yes, anyone in the wold can send emails with any address as "from". The big difference is that those emails won't pass SPF and DMARC checks.

If I wanted to use them, I would need to configure SPF and DMARC for my domain so that their mail servers pass those checks. At this point I would expect their mail servers only to allow sending "from" my domain when my account is used.

Note that just about any major mail provider does this check (e.g. Google). It is industry standard. It is crazy that they even refuse to acknowledge this. I'm working in this field and this is basic knowledge. I just don't get how they can do this professionally and not understand what the problem is. The only explanation I have is that for some reason it would be hard for them to fix and so they try to ignore it / make it disappear by deleting the forum thread.

Also they use the same DMARC key for all customers, which is weird. Usually each customer gets it's own DMARC key.

[brewmarche]

I assume you mean DKIM where you wrote DMARC. A DMARC check results in a pass when at least one of SPF or DKIM is aligned, i.e. SPF alignment alone is enough. Which makes this situation even worse because a custom domain user of mailbox.org obviously will have mailbox.org’s SMTP server in the SPF record.

It seems this issue was acknowledged 2 years ago: https://userforum-en.mailbox.org/topic/anti-spoofing-for-cus...

Edit: re the shared keys you mentioned I agree. If they had per-user DKIM keys that were only usable after successful SMTP authentication (e.g. by encrypting them with credentials) that would solve the DKIM part of the issue AND even further improve the situation.