Before sharing my email address with some person or some org, I do an MX DNS lookup on the domain portion of their email address. It’s usually correct. That is, if the result is not of the form *.mail.protection.outlook.com, then that recipient is not using Microsoft’s mail server.
But sometimes I get stung by an exception. The MX lookup for one recipient yielded barracudanetworks.com, so I trusted them with email. But then they sent me an email and I saw a header like this:
Received: from *.outbound.protection.outlook.com (*.outbound.protection.outlook.com…
Is there any practical way to more thoroughly check whether an email address leads to traffic routing through Microsoft (or Google)?
You should check for SPF records as well. If they have SPF records (and Microsoft walks them through setting up those records), they would need one for every mail server sending on their behalf.
So it appears that in your case here their MX records pointed at their own MTA that then routes at least some of that email to Microsoft. If they are using SPF records to prevent others from spoofing their email addresses, and if they are allowing Microsoft to send on their behalf there would have to be SPF records with Microsoft's domains in them.
Still no sure thing but a little more checking that you can do.
Thanks for the tip. I never studied the SPF stuff. Is that practical to check?
Yeah it is fairly trivial to check. I called it a SPF record but technically in DNS it is a TXT record. TXT records are just a generic record type used for many different uses.
Here are a few common DNS commands to lookup TXT records:
host -t TXT domainname
nslookup -type=TXT domainname
dig -t TXT domainname
For your barracudanetworks example here we get a few TXT records back but we can see spf.protection.outlook.com is in their list and therefore allowed to send of behalf of the barracudanetworks.com domain. All of the other entries are allowed to send of their behalf too so your email isn't guaranteed to go through Microsoft.
Judging by the Salesforce/Zendesk stuff they probably have ticketing/customer management systems, which means it might be possible to contact them without going through Microsoft's email servers. Notifications from those systems would probably be sending email directly to you instead of routing it through Office365.
Thanks! That’s quite useful.
Before emailing someone or deciding whether they get my email address, I run a script that does an MX lookup which then looks for PRISM corps in the results. It also checks the PGP keyrings to see if they have a pubkey. I’ll have to expand the script to check the
TXTrecords as well now.