[brewmarche]

Yes, lack of enforcement by mailbox.org on the Header-From when signing DKIM is the problem for DMARC IMO. It means I can’t trust a DMARC pass due to aligned DKIM.

Mailbox.org’s servers have access to 4 private keys as far as I know. These (I mean the matching public keys) are stated in mailbox.org’s DNS records. If you send from an @mailbox.org address you trust mailbox.org to do checking on the Header-From when signing it, as you have no control over which keys you state in DNS. This is the same situation as for any mail provider with a shared domain.

What’s even worse, when using mailbox.org with a custom domain they will have you state the exact same 4 keys in your domain’s DNS records for DKIM to work. There is no way to upload custom keys. So even someone with a custom domain has to trust mailbox.org to not sign strangers’ e-mails.

[upofadown]

The DKIM key is in your DNS. Does mailbox.org provide a DNS service and somehow enforce what you put in there?

Added: Wait, how would that even work? You need to generate your own DKIM key.

[brewmarche]

No one is forcing me, but not using it would mean I can’t have DKIM signatures, wouldn’t it? As far as I know there are no mail clients that add the signature before sending it to the MSA, but I might be wrong.

[brewmarche]

Re the addendum: No, mailbox.org does not support own keys.