[brewmarche]

I assume you mean DKIM where you wrote DMARC. A DMARC check results in a pass when at least one of SPF or DKIM is aligned, i.e. SPF alignment alone is enough. Which makes this situation even worse because a custom domain user of mailbox.org obviously will have mailbox.org’s SMTP server in the SPF record.

It seems this issue was acknowledged 2 years ago: https://userforum-en.mailbox.org/topic/anti-spoofing-for-cus...

Edit: re the shared keys you mentioned I agree. If they had per-user DKIM keys that were only usable after successful SMTP authentication (e.g. by encrypting them with credentials) that would solve the DKIM part of the issue AND even further improve the situation.