15
When an MX lookup fails to reveal that an e-mail address traverses Microsoft servers (lemmy.sdf.org)
submitted 1 month ago* (last edited 1 month ago) by evenwicht@lemmy.sdf.org to c/infosec@infosec.pub
17 comments fedilink hide all child comments

Before sharing my email address with some person or some org, I do an MX DNS lookup on the domain portion of their email address. It’s usually correct. That is, if the result is not of the form *.mail.protection.outlook.com, then that recipient is not using Microsoft’s mail server.

But sometimes I get stung by an exception. The MX lookup for one recipient yielded barracudanetworks.com, so I trusted them with email. But then they sent me an email and I saw a header like this:

Received: from *.outbound.protection.outlook.com (*.outbound.protection.outlook.com…

Is there any practical way to more thoroughly check whether an email address leads to traffic routing through Microsoft (or Google)?

you are viewing a single comment's thread
view the rest of the comments
[-] greyfox@lemmy.world 5 points 1 month ago

You should check for SPF records as well. If they have SPF records (and Microsoft walks them through setting up those records), they would need one for every mail server sending on their behalf.

So it appears that in your case here their MX records pointed at their own MTA that then routes at least some of that email to Microsoft. If they are using SPF records to prevent others from spoofing their email addresses, and if they are allowing Microsoft to send on their behalf there would have to be SPF records with Microsoft's domains in them.

Still no sure thing but a little more checking that you can do.

[-] CarbonatedPastaSauce@lemmy.world 2 points 1 month ago

This is mostly true but keep in mind SPF can have IP ranges (in different formats) and includes of other records, so you really have to write something to chase all those lookups, manage CIDR vs individual IPs vs A records, etc, and build a table to use for lookups , if you want it to be accurate.

[-] greyfox@lemmy.world 2 points 1 month ago

I suppose that is a concern, but I think those are cloud IPs they move around occasionally and wouldn't want to make every user update their TXT records.

So for this use case I am pretty sure they would always be DNS names if the admins are following Microsoft's instructions.

It looks like they have you set your txt record to spf.protection.outlook.com which resolves to a txt record with a bunch of their IPs. So if you really wanted to make sure there weren't installs with IPs in their list you can use that txt record to get Microsoft's IP ranges and search for those as well.

[-] evenwicht@lemmy.sdf.org 2 points 1 month ago

Thanks for the tip. I never studied the SPF stuff. Is that practical to check?

[-] greyfox@lemmy.world 2 points 1 month ago* (last edited 1 month ago)

Yeah it is fairly trivial to check. I called it a SPF record but technically in DNS it is a TXT record. TXT records are just a generic record type used for many different uses.

Here are a few common DNS commands to lookup TXT records:

host -t TXT domainname

nslookup -type=TXT domainname

dig -t TXT domainname

For your barracudanetworks example here we get a few TXT records back but we can see spf.protection.outlook.com is in their list and therefore allowed to send of behalf of the barracudanetworks.com domain. All of the other entries are allowed to send of their behalf too so your email isn't guaranteed to go through Microsoft.

Judging by the Salesforce/Zendesk stuff they probably have ticketing/customer management systems, which means it might be possible to contact them without going through Microsoft's email servers. Notifications from those systems would probably be sending email directly to you instead of routing it through Office365.

[-] evenwicht@lemmy.sdf.org 1 points 1 month ago

Thanks! That’s quite useful.

Before emailing someone or deciding whether they get my email address, I run a script that does an MX lookup which then looks for PRISM corps in the results. It also checks the PGP keyrings to see if they have a pubkey. I’ll have to expand the script to check the TXT records as well now.

this post was submitted on 21 Jun 2025
15 points (100.0% liked)

Information Security

330 readers
1 users here now

founded 2 years ago
MODERATORS
himazawa@infosec.pub