Email Provider Mailbox.org launches one-time passwords and custom domain support
Mailbox.org is a German email service that puts a strong focus on privacy and security. Among the features are full inbox encryption as well as minimal logging and retention of logs.
The service is not free but starts at â‚¬1 per month for 3 email aliases and 2 Gigabyte of online storage. A side-effect of this is that advertisement is not used by the service.
Mailbox.org introduced a set of new features recently. The first adds support for one-time passwords to the service. These passwords work only once before they are no longer valid. While you can always sign in with your main password, using a one-time password may make sense in certain situations, for instance when you are using a public computer or connect to a public network.
One-time passwords work in conjunction with YubiKeys which we have reviewed back in 2010 for the first time. So, whenever you want to sign in to your Mailbox account you connect the USB device to the computer to do so.
This however is only part of it. Mailbox.org has added a four-digit Pin to the process as well which you need to enter to complete the process. The idea here is that protection would be relatively weak if only the username and the one-time password of the Yubikey would be required.Â The pin adds another layer of protection to the process to improve security.
With the new feature enabled, you have three login options:
- Normal authentication using the account username and password.
- One-time password login or basic authentication.
- One-time password login only.
The system can only be used with Yubikeys ordered from Mailbox.org currently. The company stated in a blog post that it is working on a solution to add support for third-party Yubikeys as well.
The second change adds support for custom domains to the service. What is meant by that is that you can use Mailbox.org to create email addresses using domains that you own.
You do need to redirect the mail Namserver entries to Mailbox.org before you can do so though which means that you need to use the service for all email addresses of that domain.
Another restriction is that all email aliases from that domain will become available under the same Mailbox.org account. If that is not an issue, do the following to set it up:
- Log in to your Mailbox.org account and open the settings.
- There you find an option to add an external address under create aliases.
- Add a new email address using the domain name that you want to use.
- The system will display a security code that you need to add to the DNS record of the domain.
- Once that is out of the way, you need to set the correct MX records as well. The reason why you do not make the change immediately is that email will be rejected until the correct security code is set.
- The three servers that you need to add are: mxext1.mailbox.org, mxext2.mailbox.org, mxext3.mailbox.org with priorities 10, 10 and 20.
Both changes make sense and improve the usability and security of the service, at least for some users. It is worth nothing that both features require improvements in the future to improve their appear. The Yubikey implementation for instance requires support for third-party Yubikeys while the custom domain feature should support multi-user email addresses for custom domains.
This service seems almost too good to be true (if their website is to be believed that is). Why haven’t I heard about it before? Why is there so little information when I type them into Google? What have I missed? What’s the catch?
Probably because they are German and while they have English translation of their site, they may focus on Germany mostly right now. Don’t really know. You can read the comments under the original review for pointers.
Although we are operating emailservices since 1992 (https://mailbox.org/en/history/), mailbox.org is a new Brand, that we launched only in February. Support for the english language is only live since less then 4 weeks, so the Traction in the english-speaking countrys has yet to be developed.
Since we launched english, our main focus is indeed the worldwide community of privacy-sensitive people (who speak english or german)
If you have any questions, feel free to ask them, I will try to answer as best as I can.
It would be nice to see a better implementation of external domains. Their page states you can’t use TLS with your own domains and I assume that they don’t use SPF or DKIM either, if it’s possible to send FROM your own domain and not just ON BEHALF OF your domain.
I’ll be keeping my eyes open, because I am definitely shopping around for a replacement to Google Apps, especially now that Microsoft has discontinued email hosting for your own domain.
“It would be nice to see a better implementation of external domains. Their page states you canâ€™t use TLS with your own domains and I assume that they donâ€™t use SPF or DKIM either”
SPF can be used with your own domains. I moved all my Google Apps domains to mailbox.org and I have SPF on all of them without any issues. You only need to copy the SPF records for mailbox.org and add it to the DNS for your own domains.
Mailbox is indeed an interesting emailing service, that provides a level of PGP integration but doesn’t goes to much needed extents – which is why some of my colleagues have avoided it in the past (especially when they want to import their external PGP keypairs).
At this junction of interoperability (of PGP and S/MIME) – I personally prefers Mailfence (https://www.mailfence.com) which does not only provides true end-to-end encryption and digital signing, but also gives full OpenPGP interoperability with a dedicated keystore.
However, Mailbox do holds its own plus’s when it comes to other shady services, especially like protonmail…