|
|
|
|
|
|
by upofadown
1595 days ago
|
|
|
A sender can throw anything they want in the "From:" field and then sign it. The receiver does not have to agree. What would happen is that the receiver would see that the holder of the domain was different than the domain in the "From:" address and on the basis of bad "domain alignment" could reject the email. I now think that the DMARC stuff is a red herring and would actually help make the current mailbox.org behaviour not all that problematic (they specify "reject" in their DMARC policy). The actual point of dispute is the lack of enforcement of the "From:" address domain. |
|
|
Mailbox.org’s servers have access to 4 private keys as far as I know. These (I mean the matching public keys) are stated in mailbox.org’s DNS records. If you send from an @mailbox.org address you trust mailbox.org to do checking on the Header-From when signing it, as you have no control over which keys you state in DNS. This is the same situation as for any mail provider with a shared domain.
What’s even worse, when using mailbox.org with a custom domain they will have you state the exact same 4 keys in your domain’s DNS records for DKIM to work. There is no way to upload custom keys. So even someone with a custom domain has to trust mailbox.org to not sign strangers’ e-mails.