15
When an MX lookup fails to reveal that an e-mail address traverses Microsoft servers (lemmy.sdf.org)
submitted 1 month ago* (last edited 1 month ago) by evenwicht@lemmy.sdf.org to c/infosec@infosec.pub
17 comments fedilink hide all child comments

Before sharing my email address with some person or some org, I do an MX DNS lookup on the domain portion of their email address. It’s usually correct. That is, if the result is not of the form *.mail.protection.outlook.com, then that recipient is not using Microsoft’s mail server.

But sometimes I get stung by an exception. The MX lookup for one recipient yielded barracudanetworks.com, so I trusted them with email. But then they sent me an email and I saw a header like this:

Received: from *.outbound.protection.outlook.com (*.outbound.protection.outlook.com…

Is there any practical way to more thoroughly check whether an email address leads to traffic routing through Microsoft (or Google)?

you are viewing a single comment's thread
view the rest of the comments
[-] evenwicht@lemmy.sdf.org 2 points 1 month ago

Thanks for the tip. I never studied the SPF stuff. Is that practical to check?

[-] greyfox@lemmy.world 2 points 1 month ago* (last edited 1 month ago)

Yeah it is fairly trivial to check. I called it a SPF record but technically in DNS it is a TXT record. TXT records are just a generic record type used for many different uses.

Here are a few common DNS commands to lookup TXT records:

host -t TXT domainname

nslookup -type=TXT domainname

dig -t TXT domainname

For your barracudanetworks example here we get a few TXT records back but we can see spf.protection.outlook.com is in their list and therefore allowed to send of behalf of the barracudanetworks.com domain. All of the other entries are allowed to send of their behalf too so your email isn't guaranteed to go through Microsoft.

Judging by the Salesforce/Zendesk stuff they probably have ticketing/customer management systems, which means it might be possible to contact them without going through Microsoft's email servers. Notifications from those systems would probably be sending email directly to you instead of routing it through Office365.

[-] evenwicht@lemmy.sdf.org 1 points 1 month ago

Thanks! That’s quite useful.

Before emailing someone or deciding whether they get my email address, I run a script that does an MX lookup which then looks for PRISM corps in the results. It also checks the PGP keyrings to see if they have a pubkey. I’ll have to expand the script to check the TXT records as well now.

this post was submitted on 21 Jun 2025
15 points (100.0% liked)

Information Security

330 readers
1 users here now

founded 2 years ago
MODERATORS
himazawa@infosec.pub