I see, so their SMTP authentication is woefully broken and they let anybody who can send an e-mail from their SMTP server to put anything in From: ? That's rather hard to believe. The defaults of most SMTP servers like Postfix prevent that. Since I don't want to get banned I don't really want to test that option with their SMTP server.

I took the https://emailspooftest.com/ and while the "spoof" mail gets delivered to mailbox.org's Inbox, my Thunderbird client is all red and it warns me about DKIM and SPF fails.