[okanat]

I see, so their SMTP authentication is woefully broken and they let anybody who can send an e-mail from their SMTP server to put anything in From: ? That's rather hard to believe. The defaults of most SMTP servers like Postfix prevent that. Since I don't want to get banned I don't really want to test that option with their SMTP server.

I took the https://emailspooftest.com/ and while the "spoof" mail gets delivered to mailbox.org's Inbox, my Thunderbird client is all red and it warns me about DKIM and SPF fails.

[brewmarche]

I think on the sending side, being able to send from others’ addresses is fixed by now: https://userforum-en.mailbox.org/topic/anti-spoofing-for-cus...

But it definitely used to be possible, I tried once with success.

Anti spoofing for incoming mails was not perfect the last time I checked either, but is a different issue.

[okanat]

For incoming mail, your client should check regardless of the server provider. On Thunderbird I have this extension: https://github.com/mcortt/EagleEye . It checks for any SPF, DKIM and DMARC fails and shows a banner. SPF/DKIM/DMARC is minimum and pretty useless against spam though. All phishing e-mails in my GMail account have impeccable SPF/DKIM records.