It doesn't support syncing properly, if you use it on desktop + Android + iOS you have to trust three different app vendors, browser integration isn't nearly as good as 1Password, custom fields are badly integrated.
They had massive problems with their main database cluster (MySQL). If you read through their engineering blog, most of the outages were related to their growth and the main database cluster. They moved workloads for some features to different clusters, but that's only to buy more time. Eventually they'll do proper shredding (by user or org I guess, not by feature) but that takes time.
That's not true. SPF and DKIM were explicitly made to prevent email forging by authenticating the server, and the server is responsible for authenticating the user.
Please name even a single major mail provider that allows to send emails with arbitrary "from" headers.
As others said, DKIM always includes "from". And almost none of the emails I get are S/MIME or PGP signed.
Like you said: SPF and DMARC only authenticate the server. It's up to the server to authenticate the user.
Scenario: imagine your bank uses Mailbox.org to send emails. How would you verify that an email is legit? Any Mailbox user can send emails through Mailbox with your bank as "from" and all of these emails pass SPF and DKIM checks. Your mail server has no way to distinct a legit email from a fake one. This is why it's important that the server does this check (check that sender account and "from" match / are a valid combination).
AFAIK they still refuse to acknowledge the problem. But since they deleted the forum thread, how would I know.
What they said in the forum doesn't make much sense. Yes, anyone in the wold can send emails with any address as "from". The big difference is that those emails won't pass SPF and DMARC checks.
If I wanted to use them, I would need to configure SPF and DMARC for my domain so that their mail servers pass those checks. At this point I would expect their mail servers only to allow sending "from" my domain when my account is used.
Note that just about any major mail provider does this check (e.g. Google). It is industry standard. It is crazy that they even refuse to acknowledge this. I'm working in this field and this is basic knowledge. I just don't get how they can do this professionally and not understand what the problem is. The only explanation I have is that for some reason it would be hard for them to fix and so they try to ignore it / make it disappear by deleting the forum thread.
Also they use the same DMARC key for all customers, which is weird. Usually each customer gets it's own DMARC key.
Be aware that Mailbox.org allows any user to send emails as ("from") any other user via SMTP and these emails will look legit since they pass SPF and DKIM checks. Many consider this a security issue.
There was a quite lengthy discussion about this in their forum but they deleted it since. They refused to fix it. Archive.org still has it. Content is in German (sorry):
But what alternatives are there? I just need a solution for the usual stuff: mail, contacts, calendar, notes, tasks, files and meetings. Microsoft? Haha, hell no (they never did free anyway). Also using multiple services (e.g. Fastmail for mail and Dropbox for files) is way more expensive.
Maybe deliver high quality results for adblock users only. Lower server costs for adblock users while maximizing ad-revenue for users without adblock. Win-win.
You can set your own passphrase in sync settings. This will enable end-to-end encryption and Google won't be able to read your synced data (not just passwords but also history and other synced data).
I didn't mean to insult you. I think it's great if you're experimenting and I fully support that. It's just that the headline set high expectations and the article reads like this is being used in production, which I would strongly advise against.