5

I have a list of e-mail domains that i wanted to confirm if they're using Office 365 or Google Mail for mail. Checking MX using Nslookup can do the job but I noted that a few companies will use an anti spam service as their DNS MX and then redirect to the Mail service MX, obfuscating the Email server itself. Anyone know any way to identify what is behind the Mail exchanger and also if its Office 365 or Google?

Anders
  • 64,406
  • 24
  • 178
  • 215
Frosa
  • 123
  • 1
  • 1
  • 6

1 Answers1

9

If you have access to email sent from those domains, the headers will contain a wealth of information that will help you determine where they're hosted. The downside is that, unlike poking at their public MX records, you'll need to get actual email from someone there in order to get headers to examine.

The Received header of is prepended to the message by each mail server to handle your message. If you find entries like this, that's an indication it comes from an Office365 user:

Received: from BY2FFO11FD003.protection.gbl (2a01:111:f400:7c0c::150) by
 DM2PR07CA0012.outlook.office365.com (2a01:111:e400:2414::12) with Microsoft
 SMTP Server (TLS) id 15.1.409.15 via Frontend Transport; Mon, 15 Feb 2016
 07:05:08 +0000

(Remember that Received: headers are prepended... the ones closest to the top are your mail server; the ones farthest down in the header block are closest to the sender)

Also, Microsoft tends to be verbose in their use of X- headers:

X-MS-Office365-Filtering-Correlation-Id: 1d91711e-ed71-457b-940d-08d335d6569e
X-Microsoft-Antispam-PRVS: <CO1PR07MB9408BD5A137BB4D0DD62AD9F6AC0@CO1PR07MB940.namprd07.prod.outlook.com>

Gmail users, on the other hand, are going to route through Google.com mail servers:

Received: by mail-qk0-f174.google.com with SMTP id c73so160486949qkg.2
        for <gowenfawr@example.com>; Mon, 20 Jun 2016 06:09:04 -0700 (PDT)

And there are other headers you can expect will indicate Gmail:

X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:from:content-transfer-encoding:mime-version
         :subject:message-id:date:to;
        bh=r/jgn896D9B3/dGqTvjA6Oypoq6NXeS9bZtz6pRcJVM=;
        b=V7bSJBRm/pZEAA3eYQ+6bRouRLOReIPeLxHuweA7vk0/nFs+qW8NCOC5Cm3SfYBFXH
         IcYgRDWaxu4ckR3K5Nd6MGRxil2Rdcf/mSoJp2ODgrdIPqwS9KQl3lA/1VsngRk1VE0I
         in/g1XY/z08KOMZHjJlD8X7TXNSxvtBC/CpfaXsll1AZ690qvuvF1oV5JfZrxv3TflHb
         TFWpkxkRVlKXD9uMsKkyNUiOhP654NMtRDAEhZL8ZlrytYX654OtoqkxblGGhUtcnvap
         9vEliKWJzZ4WnzZ9lPbqDmffEJ52R4pYFCfkPzlycZ3qQd/AyXz3qGFfKYQG/s1qFyr2
         MEug==
X-Gm-Message-State: ALyK8tKapGupKvgAgZijc99P8ZvHpBqDPU3gNZLUw+bow15vQEcL4HYQNx19EMxYLRHKBQ==

Now, if a domain is sending their email to an anti-spam service which then forwards it to Google, then presumably the Google mail servers will accept mail for that domain even though the MX records do not point to it. You can test for this by connecting to the Google mail exchangers on port 25 (SMTP) and testing if they'll accept email for the domain in question using simple SMTP commands (helo, mail from, rcpt to, quit).

I don't know a domain which follows this pattern (MX=anti-spam then -> Google) but here's an SMTP transaction that will show Google willing to accept email for the domain 'stackexchange.com' (which is truly hosted at Google):

$ telnet aspmx.l.google.com 25
Trying 74.125.28.26...
Connected to aspmx.l.google.com.
Escape character is '^]'.
220 mx.google.com ESMTP e14si35146749pap.172 - gsmtp
helo pool-10-1-2-3.bstnma.fios.verizon.net
250 mx.google.com at your service
mail from: <yourname@pool-10-1-2-3.bstnma.fios.verizon.net>
250 2.1.0 OK k9si37945038pfj.91 - gsmtp
rcpt to: <postmaster@stackexchange.com>
250 2.1.5 OK k9si37945038pfj.91 - gsmtp
quit
221 2.0.0 closing connection k9si37945038pfj.91 - gsmtp
Connection closed by foreign host.
$

The "250" response after the "rcpt to: " tells you that Google is willing to accept mail for example.net.

In contrast, here's the same sort of test with a domain that Google doesn't manage mail for, 'play4kd.com':

$ telnet aspmx.l.google.com 25
Trying 74.125.28.27...
Connected to aspmx.l.google.com.
Escape character is '^]'.
220 mx.google.com ESMTP xi11si6702300pac.134 - gsmtp
helo pool-10-1-2-3.bstnma.fios.verizon.net
250 mx.google.com at your service
mail from: <yourname@pool-10-1-2-3.bstnma.fios.verizon.net>
250 2.1.0 OK xi11si6702300pac.134 - gsmtp
rcpt to: <postmaster@play4kd.com>
550-5.1.1 The email account that you tried to reach does not exist. Please try
550-5.1.1 double-checking the recipient's email address for typos or
550-5.1.1 unnecessary spaces. Learn more at
550 5.1.1  https://support.google.com/mail/answer/6596 xi11si6702300pac.134 - gsmtp
quit
221 2.0.0 closing connection xi11si6702300pac.134 - gsmtp
Connection closed by foreign host.
$

In this case, the "rcpt to: " command was followed by a "550" failure code, indicating that Google will not accept mail for this domain.

Now, this isn't a perfect test. In my testing some domains that are presumably not hosted at Google, like microsoft.com, would have been accepted by Google.com. But it might be better than nothing.

gowenfawr
  • 71,975
  • 17
  • 161
  • 198
  • Incredible answer. Thanks. Any way to poke DNS or Microsoft/Google severs (maybe API?) and find out if they're responding for a particular domain? – Frosa Jun 20 '16 at 22:14
  • @Frosa updated answer to show how to poke using SMTP to determine if the mail exchanger for Google is willing to accept mail for a particular domain. (easily automated, and you can try it against Microsoft mail exchangers as well). – gowenfawr Jun 21 '16 at 05:47
  • Great. this was a very nice idea. – Frosa Jun 22 '16 at 16:08