An MX Record or Mail Exchange Record is a type of Domain Name System (DNS) record that points to the mail server that is responsible for handling email for a given domain. It defines how email messages will be routed while being in line with Simple Mail Transfer Protocol (SMTP).
The main purpose of MX Records is to ensure that emails are sent to the correct destination address. MX records are a vital part of a working email system. They can play an important role in email forensic investigations.
The standard format of an MX Record includes [name] [TTL] [class] [type] [priority] [rdata]. This is an example of MX record:
google.com. 3600 IN MX 0 alt3.aspmx.l.google.com
Whenever you send an email message, your Mail Transfer Agent (MTA) accesses the MX record of the receiver’s domain name. It then tries to send the email to the mail server that has the highest priority in the record. If delivery fails, it retries with the remaining mail servers in the record in their increasing preference order, until the message is delivered.
Finding MX records is easy. On a Windows system, you can use the nslookup command-line tool. You can run the following script in command prompt (CMD) to find the MX records for domain google.com:
nslookup -type=MX google.com
This will provide you with a non-authoritative answer to the query.
Figure 1 highlights the non-authoritative answer for the google.com domain. A non-authoritative answer means the answer is not fetched from the authoritative DNS server for the queried domain name.
A DNS system is divided into three tiers:
There’s another class of DNS Server, usually called local DNS server, whose IP address is specified in your operating system.
When your browser connects to a website such as google.com, the browser first queries the local DNS server to get the IP address of the website.
This query result then gets cached on the local DNS server but it can get outdated. When the [TTL] time gets expired, the local DNS server would update the query result from the authoritative DNS server. Whenever you query a DNS record on the local DNS server, it would return a non-authoritative answer. In order to get an authoritative answer, you need to specify the authoritative DNS server while using nslookup or other utilities. A local DNS server can also be called as a caching DNS server.
Figure 1: Non-authoritative answer for google.com domain
You can use the following command to find the primary name server of the domain:
nslookup -type=soa google.com
Figure 2: Fetching primary name server of google.com
Now that you have the name of the primary name server, which is ns1.google.com, you can run the following command to get an authoritative answer:
nslookup -type=mx google.com ns1.google.com
Figure 3: Authoritative answer for google.com domain
The command gives you the most up-to-date information about the domain including the internet addresses and IPv6 addresses of the mail servers that are used.
If you don’t want to use CMD, you can also fetch MX records of domains with web services, such as DNSChecker and MXToolbox.
MX records can help in email forensics in the following ways:
An email header contains important information such as details of sender and receiver, hops, etc. which help in tracking the message’s journey. So, when you analyze an email, you can check if the details in the header match the MX records of the domain.
Suppose, you are analyzing an email that was sent a few years back. If you find that the email service provider mentioned in the email header is one that the target domain switched to only recently, it can be considered a red flag. In this situation, you can investigate further to get more information about the discrepancy and can find smoking guns.
Change in MX records doesn’t necessarily mean that the email service provider was changed. Sometimes, domain owners start using additional services to improve email security or to archive emails. When this happens, the MX records may show the details of these servers as they work on top of existing email servers. In other words, the emails go through these additional servers first, and then to the main email servers.
Looking up the historical MX records of a domain can help you to discover additional sources for data collection. For instance, if you find out that a domain is using an archival service in addition to the main email servers, then the archival service may have backup files that you can collect and scan for additional data.
In email forensics, fetching MX Records for a domain name can be useful in many ways. It can help in verifying that the recipient of an email used the correct email service provider. It can also help in checking if the owner of a domain changed their service provider and lead you to additional sources for data collection.
Need an email forensics software that is user-friendly and offers a wide range of useful features? Try Stellar Email Forensic! It supports 25+ email file formats such as PST, EDB, OST, and MBOX. The software makes email analysis easy with features like advanced search functions, deleted email recovery, tagging and bookmarking, and more. Download Stellar Email Forensic now. It is available for a free 60-day trial.
Abhinav Sethi is a Senior Writer at Stellar. He writes articles, blog posts, knowledge-bases, case studies, etc. for different technologies. He also has a keen interest in digital forensics and helps forward-thinking companies fight different threats with apt solutions.
