this post was submitted on 21 Jun 2025
14 points (93.8% liked)

Information Security

330 readers
1 users here now

founded 2 years ago
MODERATORS
 

Before sharing my email address with some person or some org, I do an MX DNS lookup on the domain portion of their email address. It’s usually correct. That is, if the result is not of the form *.mail.protection.outlook.com, then that recipient is not using Microsoft’s mail server.

But sometimes I get stung by an exception. The MX lookup for one recipient yielded barracudanetworks.com, so I trusted them with email. But then they sent me an email and I saw a header like this:

Received: from *.outbound.protection.outlook.com (*.outbound.protection.outlook.com…

Is there any practical way to more thoroughly check whether an email address leads to traffic routing through Microsoft (or Google)?

top 17 comments
sorted by: hot top controversial new old
[–] evujumenuk@lemmy.world 11 points 1 week ago (1 children)

Once a mail server gets hold of your mail, it can basically do whatever it wants with it, including forwarding it to FAANG MXes, HTTP POSTing it to the NSA or publishing it on Pastebin. This is one of the reasons why we push for end-to-end encryption, there can be no confidentiality or integrity otherwise.

[–] evenwicht@lemmy.sdf.org 2 points 1 week ago* (last edited 1 week ago)

I’m w/you on the e2ee, of course. But this requires both people to partake, so the suggestion is broken in most non-p2p situations. In a world where govs, NGOs, and most people are incompetent, e2ee is not generally available. From there, do you want to function at all? You can be 100% dysfunctional if you insist on e2ee. I am almost there, actually. Countless businesses lose my business because they are not on the ball w/security. And gov offices get paper correspondence from me because their digital attempt stinks.

But there are situations where e2ee is not strictly important for a particular situation. Yet I will be damned if I have to dance for Google or MS to get their servers to accept my msgs, all to help the scumbags profit from seeing my payload. So I will send an in-the-clear email to non-FAANG recipients in some cases.

[–] greyfox@lemmy.world 5 points 1 week ago (2 children)

You should check for SPF records as well. If they have SPF records (and Microsoft walks them through setting up those records), they would need one for every mail server sending on their behalf.

So it appears that in your case here their MX records pointed at their own MTA that then routes at least some of that email to Microsoft. If they are using SPF records to prevent others from spoofing their email addresses, and if they are allowing Microsoft to send on their behalf there would have to be SPF records with Microsoft's domains in them.

Still no sure thing but a little more checking that you can do.

[–] CarbonatedPastaSauce@lemmy.world 2 points 1 week ago (1 children)

This is mostly true but keep in mind SPF can have IP ranges (in different formats) and includes of other records, so you really have to write something to chase all those lookups, manage CIDR vs individual IPs vs A records, etc, and build a table to use for lookups , if you want it to be accurate.

[–] greyfox@lemmy.world 2 points 1 week ago

I suppose that is a concern, but I think those are cloud IPs they move around occasionally and wouldn't want to make every user update their TXT records.

So for this use case I am pretty sure they would always be DNS names if the admins are following Microsoft's instructions.

It looks like they have you set your txt record to spf.protection.outlook.com which resolves to a txt record with a bunch of their IPs. So if you really wanted to make sure there weren't installs with IPs in their list you can use that txt record to get Microsoft's IP ranges and search for those as well.

[–] evenwicht@lemmy.sdf.org 2 points 1 week ago (1 children)

Thanks for the tip. I never studied the SPF stuff. Is that practical to check?

[–] greyfox@lemmy.world 2 points 1 week ago* (last edited 1 week ago) (1 children)

Yeah it is fairly trivial to check. I called it a SPF record but technically in DNS it is a TXT record. TXT records are just a generic record type used for many different uses.

Here are a few common DNS commands to lookup TXT records:

host -t TXT domainname

nslookup -type=TXT domainname

dig -t TXT domainname

For your barracudanetworks example here we get a few TXT records back but we can see spf.protection.outlook.com is in their list and therefore allowed to send of behalf of the barracudanetworks.com domain. All of the other entries are allowed to send of their behalf too so your email isn't guaranteed to go through Microsoft.

Judging by the Salesforce/Zendesk stuff they probably have ticketing/customer management systems, which means it might be possible to contact them without going through Microsoft's email servers. Notifications from those systems would probably be sending email directly to you instead of routing it through Office365.

[–] evenwicht@lemmy.sdf.org 1 points 1 week ago

Thanks! That’s quite useful.

Before emailing someone or deciding whether they get my email address, I run a script that does an MX lookup which then looks for PRISM corps in the results. It also checks the PGP keyrings to see if they have a pubkey. I’ll have to expand the script to check the TXT records as well now.

[–] CarbonatedPastaSauce@lemmy.world 4 points 1 week ago (1 children)

No you can’t guarantee this. Migration scenarios alone can cause some complex mail routing where part of an org might be on premises and another part on M365.

Once you hand off the mail, the receiving MTA ‘owns’ it and can do whatever it wants with it.

[–] evenwicht@lemmy.sdf.org 2 points 1 week ago* (last edited 1 week ago) (1 children)

I realise a guarantee is impossible. Even a Protonmail user could receive a msg from me and then use an MS service to reply manually.

My question was more asking if MX lookups are the /only/ mechanism we have. Have I overlooked another test that would detect more cases?

Certainly it would be feasible to deploy a mail server that blocks inbound MS. This would at least cut off repetitious msgs to me that traverse MS assets. But it’s just theoretical.. I don’t think any email service exists with this kind of deliberate configuration.

[–] CarbonatedPastaSauce@lemmy.world 4 points 1 week ago (1 children)

No. Mail routing inside corporate systems can get complex, and you have no way of knowing what kind of routing rules they are using. SMTP simply doesn’t have the ability to trace a path the way trace route would for example. Each hop in the SMTP chain is a chance for the receiving MTA to change the path and that info is never sent upstream. You can only see it after the fact in message headers. And even those can’t really be trusted because any MTA along the path can alter them.

This is why, when it’s important, you have to use encryption.

[–] evenwicht@lemmy.sdf.org 2 points 1 week ago* (last edited 1 week ago) (2 children)

I think I’ve been stung by the same server twice. I vaguely recall another address that resolved to barracudanetworks.com, where msgs from that other user to me had MS outlook in the headers. So I wonder if barracudanetworks is setup to be a proxy or façade of sorts for MS, in which case I could track this.

So what if for every email I receive, I have a program that checks for MS in the headers and (if MS matches) it does an MX lookup on the sender address, which it could then store in a DB to track patterns. This could also be a shared DB so a group of people could benefit from associating non-MS MX servers (like barracudanetworks) to MS. Imperfect of course, but perhaps accurate enough?

Ultimately this is GDPR issue. Data subjects are supposed to be able to know who gets their info and legally they have control over it. Email is somewhat incompatible with the GDPR in this regard.

[–] Brkdncr@lemmy.world 4 points 1 week ago

Barracuda provides email gateway security for any email server including Exchange Online.

There’s no way to tell unless you see the message route itself. To do that you’d need to see the headers of a message sent by you after it’s received by the recipient. This is simply the expected design of email transport.

[–] CarbonatedPastaSauce@lemmy.world 3 points 1 week ago (1 children)

You’re seeing that behavior because some companies may have mailboxes in M365 but use a different provider for message hygiene, such as Barracuda, Proofpoint, MX Logic, etc. The MX points to them, they forward to an M365 inbound connector (virtual MTA) after inspecting the email.

[–] evenwicht@lemmy.sdf.org 1 points 1 week ago

Well, in that case I guess I should target Barracuda, Proofpoint, and MX Logic in the same way, since 90+% of the world is on MS or Google platforms. That’s probably my practical answer.. to distrust any MX servers that are known to be proxies. So, I need a list of proxies like that.

[–] troyunrau@lemmy.ca 3 points 1 week ago (1 children)

Question: as a small business owner, we have trouble with Microsoft hosted email aggressively spam filtering. So when we notice it in their headers or similar, we will followup on emails to them with a phone call or text message saying "sent you an email -- if you don't see it, check your spam trap"

It's taken almost four years, a dedicated IP and host, and a lot of people flagging us as not-spam to finally have a better than 50% chance with Microsoft hosted customers.

But this is the InfoSec community and your reasons are probably entirely separate. Out of curiosity, why are you declining to transit Microsoft servers? Worried about inspection or something?

[–] evenwicht@lemmy.sdf.org 1 points 1 week ago* (last edited 1 week ago)

But this is the InfoSec community and your reasons are probably entirely separate.

Infosec broadly covers:

  • Confidentiality
  • Integrity
  • Availability

Your problem as you describe it boils down to availability (which some would say is the most important infosec factor). I also have a serious availability with Microsoft. When I send email to an MS recipient (back in the days when I was willing to), MS’s servers refuse my msg because MS aggressively implements a strict IP reputation policy. And to be clear, you need not ever send any spam to have a bad IP reputation. You can simply subscribe to an ISP that gives you an IP address which the ISP has published as “residential”. And just like that, the discrimination machine kicks in.

MS does not want mail from self-hosters like myself. They want to force me to dance for them. Even though my email is RFC-compliant, MS wants me to subscribe to a more costly business class of internet service, or to pawn myself to another email service provider.

Either way, MS can fuck off. I will not lick MS’s boots.

Out of curiosity, why are you declining to transit Microsoft servers? Worried about inspection or something?

First of all, I boycott MS. The boycott is mostly driven by factors unrelated to infosec. Boycotting is no longer just refusal to buy their junk -- boycotting also means to not feed them data because they profit from the data (otherwise, why are they gratis?) I am not generally worried about info in my payloads being specifically exploited in some kind of attack by MS, but I will not feed MS data that it can profit from. I also protest non-US govs throwing away their digital sovereignty and making all their people lick the boots of a privacy-abusing US surveillance advertiser.