Before sharing my email address with some person or some org, I do an MX DNS lookup on the domain portion of their email address. It’s usually correct. That is, if the result is not of the form *.mail.protection.outlook.com, then that recipient is not using Microsoft’s mail server.
But sometimes I get stung by an exception. The MX lookup for one recipient yielded barracudanetworks.com, so I trusted them with email. But then they sent me an email and I saw a header like this:
Received: from *.outbound.protection.outlook.com (*.outbound.protection.outlook.com…
Is there any practical way to more thoroughly check whether an email address leads to traffic routing through Microsoft (or Google)?
This is mostly true but keep in mind SPF can have IP ranges (in different formats) and includes of other records, so you really have to write something to chase all those lookups, manage CIDR vs individual IPs vs A records, etc, and build a table to use for lookups , if you want it to be accurate.
I suppose that is a concern, but I think those are cloud IPs they move around occasionally and wouldn't want to make every user update their TXT records.
So for this use case I am pretty sure they would always be DNS names if the admins are following Microsoft's instructions.
It looks like they have you set your txt record to spf.protection.outlook.com which resolves to a txt record with a bunch of their IPs. So if you really wanted to make sure there weren't installs with IPs in their list you can use that txt record to get Microsoft's IP ranges and search for those as well.