Summary
Identifying whether a company utilizes email filtering/security measures like Mimecast or Proofpoint involves a multi-faceted approach. Examining MX records through DNS lookups, utilizing tools like Google Admin Toolbox or MXToolbox, can expose the first-hop MTA and potential filter provider domains. Email headers, specifically the return-path, HELO domain, and service-specific headers (X-Proofpoint-SPF, X-Mimecast), reveal the email's path and potential filters. Checking IP and domain reputations with services like Spamhaus offers further insight. Sending test emails to seed lists and analyzing the resulting headers helps map out implemented filters. Analyzing bounce codes provides clues, while drastically different open rates within a company suggest filtering. Finally, understanding that appliance-based filters may require deeper inspection of connection behaviors is important.
Key findings
- MX Record Analysis: DNS lookups and tools like MXToolbox reveal the first-hop MTA and potential filter providers.
- Header Examination: Examining the return-path, HELO domain, and service-specific headers in emails exposes filtering services.
- IP Reputation: Checking IP and domain reputations with services like Spamhaus indicates potential filtering.
- Seed List Testing: Sending test emails to seed lists and analyzing resulting headers maps implemented filters.
- Bounce Code Analysis: Analyzing bounce codes provides clues about rejections by security services.
- Open Rate Variance: Drastically different open rates within a company suggest the presence of filtering services.
- Appliance Filters: Appliance-based filters require deeper inspection of connection behavior.
Key considerations
- MX Record Limitations: MX records may not always reveal all filtering services (e.g., internal or cloud-based).
- Header Authenticity: Email headers can be spoofed, requiring careful validation.
- Reputation Accuracy: Reputation services offer clues but should not be the sole determinant.
- Test Email Representativeness: Test emails may not fully mirror real-world traffic patterns.
- Bounce Code Interpretation: Bounce codes require expertise to interpret accurately.
- Open Rate Influences: Open rates are affected by various factors, not just filtering.
- Data Handling Complexity: Data handling and script writing is needed to analyse MX records.
- Pattern Recognition: Identifying filtering services from headers requires knowing common signatures and patterns.
What email marketers say
11 marketer opinions
Identifying whether a company uses email filtering/security measures like Mimecast or Proofpoint involves several techniques. Examining MX records via DNS lookups and tools like Inbox Monster can reveal the first hop MTA. Analyzing email headers, including the return-path address and HELO domain, often exposes the path an email took, revealing filtering services. Checking the recipient's IP reputation and using tools like Spamhaus can provide clues. Sending test emails to seed lists and observing the headers helps to identify applied filters. Finally, analyzing bounce codes and drastic differences in open rates within the same company can signal the use of filtering services, prompting further investigation.
Key opinions
- MX Record Analysis: MX records can reveal if a company uses a third-party filtering service as the first hop MTA.
- Header Examination: Email headers often contain information about the path the email took, potentially exposing filtering services.
- IP Reputation: Checking the recipient's IP reputation can indicate if the IP is associated with a known security service.
- Seed List Testing: Sending test emails to a seed list and analyzing the headers can reveal which filters are in place.
- Bounce Code Analysis: Analyzing bounce codes can reveal rejections by security services.
- Open Rate Variance: Drastic differences in open rates within the same company can indicate the use of filtering services.
Key considerations
- MX Records: While MX records can provide initial clues, they may not always accurately reflect all filtering services in use.
- Header Spoofing: Email headers can be spoofed, so verifying the authenticity of the information is important.
- Reputation Services: IP and domain reputation services should be used as one data point, not as the sole determinant of filtering.
- Test Email Limitations: Test emails may not always accurately reflect real-world scenarios, so consider the limitations of this method.
- Bounce Code Interpretation: Bounce codes can be complex, and interpreting them requires careful analysis.
- Open Rate Tracking: Open rates can be affected by various factors, including content, subject lines, and recipient engagement, so isolate the effects of filtering as much as possible.
Marketer view
Marketer from Email Geeks shares that Inbox Monster has a feature called Subscriber Insights that allows a user to upload a list of domains and see the underlying MX records along with how many subscribers and domains roll up to a specific provider.
10 Jul 2023 - Email Geeks
Marketer view
Email marketer from Neil Patel's website explains that checking a recipient's IP reputation can offer clues. If the IP is associated with a known security service, it suggests filtering is in place.
16 Apr 2024 - Neil Patel
What the experts say
4 expert opinions
Identifying if a company uses email filtering/security measures involves several expert approaches. One involves classifying filters based on MX records, achieving a high classification rate. Custom scripts can be used for DNS lookups and data consolidation. Bounce messages and email headers can expose filtering services when analyzed for patterns and identifiers. Appliance-based filters may require deeper inspection beyond MX records, such as connection behavior and common filter appliances.
Key opinions
- MX Classification: Extensive classification of filters can be achieved based on MX records.
- Custom DNS Lookup: Custom scripts can be used to perform DNS lookups, store results, and consolidate data for MX record analysis.
- Header Analysis: Analyzing bounce messages and email headers for specific identifiers can detect filtering services.
- Appliance Filters: Appliance-based filters require analysis of bounce messages and connection behavior.
Key considerations
- Classification Accuracy: While MX-based classification can be effective, it may not capture all filtering solutions (75-80% in the example).
- Data Handling: Managing and cleaning DNS lookup data requires custom scripting and data manipulation.
- Pattern Recognition: Successfully identifying filtering services from headers requires knowledge of common signatures and patterns.
- In-depth Inspection: Appliance-based filters require a deeper level of inspection, including bounce messages and connection behavior which may be more technical.
Expert view
Expert from Word to the Wise shares that by analyzing bounce messages and email headers for specific identifiers, one can often detect the presence of filtering services like Proofpoint or Mimecast. The key is to look for patterns and known signatures within the data.
30 Jan 2025 - Word to the Wise
Expert view
Expert from Spam Resource explains that appliance-based filters may not always be identifiable via MX records, requiring deeper inspection of bounce messages and connection behavior. However, one strategy is to look at common filtering appliances such as Barracuda.
26 Feb 2022 - Spam Resource
What the documentation says
4 technical articles
Identifying if a company uses email filtering/security measures such as Mimecast or Proofpoint can be achieved by leveraging various documentation resources. Google's documentation highlights using `dig` commands or the Google Admin Toolbox to inspect MX records, revealing the first-hop server. MXToolbox's resources offer online tools for analyzing MX records and DNS settings to identify common filtering services. Proofpoint's documentation advises examining email headers for Proofpoint-specific markers like 'X-Proofpoint-SPF'. Similarly, Mimecast's documentation notes the addition of 'X-Mimecast' headers to processed emails.
Key findings
- MX Record Lookup: MX records can expose the first-hop server, potentially indicating the use of filtering services.
- MXToolbox Analysis: MXToolbox provides tools for analyzing MX records and DNS settings.
- Proofpoint Headers: Proofpoint adds specific headers (e.g., 'X-Proofpoint-SPF') to processed emails.
- Mimecast Headers: Mimecast adds 'X-Mimecast' headers to processed emails.
Key considerations
- Technical Proficiency: Using `dig` commands requires technical proficiency.
- Header Variation: Header formats can vary, so understanding the specific headers added by each service is essential.
- False Negatives: The absence of expected headers doesn't definitively mean a service isn't used, as configurations may vary.
- Tool Limitations: Online tools like MXToolbox may have limitations or require paid subscriptions for full functionality.
Technical article
Documentation from Proofpoint answers that email headers often include information indicating that Proofpoint has processed the message. Look for "X-Proofpoint-SPF" or similar headers.
2 Jul 2024 - Proofpoint
Technical article
Documentation from MXToolbox explains that using MXToolbox's online tools can provide information about a domain's MX records and DNS settings. This can help identify if common filtering services are being used.
15 Jul 2021 - MXToolbox
Can Proofpoint implementation and MX record changes during IP warming affect email deliverability?
How can I contact ProofPoint support to resolve email delivery issues?
How can I test email deliverability to mailboxes protected by Mimecast?
How do G Suite and Proofpoint compare for email gateway security?
How do I identify what spam filter a company is using?
How do Mimecast and Proofpoint scrutinize senders, and what best practices can improve inbox placement beyond whitelisting?
