Before sharing my email address with some person or some org, I do an MX DNS lookup on the domain portion of their email address. It’s usually correct. That is, if the result is not of the form *.mail.protection.outlook.com, then that recipient is not using Microsoft’s mail server.
But sometimes I get stung by an exception. The MX lookup for one recipient yielded barracudanetworks.com, so I trusted them with email. But then they sent me an email and I saw a header like this:
Received: from *.outbound.protection.outlook.com (*.outbound.protection.outlook.com…
Is there any practical way to more thoroughly check whether an email address leads to traffic routing through Microsoft (or Google)?
I realise a guarantee is impossible. Even a Protonmail user could receive a msg from me and then use an MS service to reply manually.
My question was more asking if MX lookups are the /only/ mechanism we have. Have I overlooked another test that would detect more cases?
Certainly it would be feasible to deploy a mail server that blocks inbound MS. This would at least cut off repetitious msgs to me that traverse MS assets. But it’s just theoretical.. I don’t think any email service exists with this kind of deliberate configuration.
No. Mail routing inside corporate systems can get complex, and you have no way of knowing what kind of routing rules they are using. SMTP simply doesn’t have the ability to trace a path the way trace route would for example. Each hop in the SMTP chain is a chance for the receiving MTA to change the path and that info is never sent upstream. You can only see it after the fact in message headers. And even those can’t really be trusted because any MTA along the path can alter them.
This is why, when it’s important, you have to use encryption.
I think I’ve been stung by the same server twice. I vaguely recall another address that resolved to
barracudanetworks.com, where msgs from that other user to me had MS outlook in the headers. So I wonder if barracudanetworks is setup to be a proxy or façade of sorts for MS, in which case I could track this.So what if for every email I receive, I have a program that checks for MS in the headers and (if MS matches) it does an MX lookup on the sender address, which it could then store in a DB to track patterns. This could also be a shared DB so a group of people could benefit from associating non-MS MX servers (like barracudanetworks) to MS. Imperfect of course, but perhaps accurate enough?
Ultimately this is GDPR issue. Data subjects are supposed to be able to know who gets their info and legally they have control over it. Email is somewhat incompatible with the GDPR in this regard.
You’re seeing that behavior because some companies may have mailboxes in M365 but use a different provider for message hygiene, such as Barracuda, Proofpoint, MX Logic, etc. The MX points to them, they forward to an M365 inbound connector (virtual MTA) after inspecting the email.
Well, in that case I guess I should target Barracuda, Proofpoint, and MX Logic in the same way, since 90+% of the world is on MS or Google platforms. That’s probably my practical answer.. to distrust any MX servers that are known to be proxies. So, I need a list of proxies like that.