How to identify if a company uses email filtering/security measures like Mimecast or ProofPoint?

Summary

Identifying whether a company utilizes email filtering/security measures like Mimecast or Proofpoint involves a multi-faceted approach. Examining MX records through DNS lookups, utilizing tools like Google Admin Toolbox or MXToolbox, can expose the first-hop MTA and potential filter provider domains. Email headers, specifically the return-path, HELO domain, and service-specific headers (X-Proofpoint-SPF, X-Mimecast), reveal the email's path and potential filters. Checking IP and domain reputations with services like Spamhaus offers further insight. Sending test emails to seed lists and analyzing the resulting headers helps map out implemented filters. Analyzing bounce codes provides clues, while drastically different open rates within a company suggest filtering. Finally, understanding that appliance-based filters may require deeper inspection of connection behaviors is important.

Key findings

  • MX Record Analysis: DNS lookups and tools like MXToolbox reveal the first-hop MTA and potential filter providers.
  • Header Examination: Examining the return-path, HELO domain, and service-specific headers in emails exposes filtering services.
  • IP Reputation: Checking IP and domain reputations with services like Spamhaus indicates potential filtering.
  • Seed List Testing: Sending test emails to seed lists and analyzing resulting headers maps implemented filters.
  • Bounce Code Analysis: Analyzing bounce codes provides clues about rejections by security services.
  • Open Rate Variance: Drastically different open rates within a company suggest the presence of filtering services.
  • Appliance Filters: Appliance-based filters require deeper inspection of connection behavior.

Key considerations

  • MX Record Limitations: MX records may not always reveal all filtering services (e.g., internal or cloud-based).
  • Header Authenticity: Email headers can be spoofed, requiring careful validation.
  • Reputation Accuracy: Reputation services offer clues but should not be the sole determinant.
  • Test Email Representativeness: Test emails may not fully mirror real-world traffic patterns.
  • Bounce Code Interpretation: Bounce codes require expertise to interpret accurately.
  • Open Rate Influences: Open rates are affected by various factors, not just filtering.
  • Data Handling Complexity: Data handling and script writing is needed to analyse MX records.
  • Pattern Recognition: Identifying filtering services from headers requires knowing common signatures and patterns.

What email marketers say
11Marketer opinions

Identifying whether a company uses email filtering/security measures like Mimecast or Proofpoint involves several techniques. Examining MX records via DNS lookups and tools like Inbox Monster can reveal the first hop MTA. Analyzing email headers, including the return-path address and HELO domain, often exposes the path an email took, revealing filtering services. Checking the recipient's IP reputation and using tools like Spamhaus can provide clues. Sending test emails to seed lists and observing the headers helps to identify applied filters. Finally, analyzing bounce codes and drastic differences in open rates within the same company can signal the use of filtering services, prompting further investigation.

Key opinions

  • MX Record Analysis: MX records can reveal if a company uses a third-party filtering service as the first hop MTA.
  • Header Examination: Email headers often contain information about the path the email took, potentially exposing filtering services.
  • IP Reputation: Checking the recipient's IP reputation can indicate if the IP is associated with a known security service.
  • Seed List Testing: Sending test emails to a seed list and analyzing the headers can reveal which filters are in place.
  • Bounce Code Analysis: Analyzing bounce codes can reveal rejections by security services.
  • Open Rate Variance: Drastic differences in open rates within the same company can indicate the use of filtering services.

Key considerations

  • MX Records: While MX records can provide initial clues, they may not always accurately reflect all filtering services in use.
  • Header Spoofing: Email headers can be spoofed, so verifying the authenticity of the information is important.
  • Reputation Services: IP and domain reputation services should be used as one data point, not as the sole determinant of filtering.
  • Test Email Limitations: Test emails may not always accurately reflect real-world scenarios, so consider the limitations of this method.
  • Bounce Code Interpretation: Bounce codes can be complex, and interpreting them requires careful analysis.
  • Open Rate Tracking: Open rates can be affected by various factors, including content, subject lines, and recipient engagement, so isolate the effects of filtering as much as possible.
Marketer view

Marketer from Email Geeks shares that Inbox Monster has a feature called Subscriber Insights that allows a user to upload a list of domains and see the underlying MX records along with how many subscribers and domains roll up to a specific provider.

January 2023 - Email Geeks
Marketer view

Email marketer from Neil Patel's website explains that checking a recipient's IP reputation can offer clues. If the IP is associated with a known security service, it suggests filtering is in place.

December 2021 - Neil Patel
Marketer view

Email marketer from Reddit shares that analyzing bounce codes shows that certain codes and messages indicate rejections by security services like Proofpoint or Mimecast.

July 2024 - Reddit
Marketer view

Email marketer from EmailMarketingForum.net recommends sending a test email to a seed list that includes addresses at various companies and email providers. By examining the headers of these test emails, you can often identify if filtering services are in use.

August 2022 - EmailMarketingForum.net
Marketer view

Email marketer from Reddit shares that examining the return-path address in the email header may reveal if a filtering service is being used.

May 2021 - Reddit
Marketer view

Email marketer from StackExchange shares that examining the email headers can expose the path an email took, revealing filtering services like Mimecast or Proofpoint if they're in the route.

March 2021 - StackExchange
Marketer view

Marketer from Email Geeks shares that you can use DNS lookup of the MX records for a domain to see what the first-hop receiving MTA is, and if it's a filter, it sometimes shows up using the filter provider's domain name.

August 2023 - Email Geeks
Marketer view

Email marketer from EmailMarketingSecrets.com explains that drastically different open rates between recipients within the same company or sending emails may indicate the use of a filtering service. This prompts further investigation into their email security setup.

December 2024 - EmailMarketingSecrets.com
Marketer view

Email marketer from EmailMarketingTips.com shares the method of sending a test email to a known seed list and observing the headers is a good way to see what filters are in place.

June 2021 - EmailMarketingTips.com
Marketer view

Email marketer from DeliverabilityBlog.com shares that using Spamhaus to check the IP and domain reputation shows insight if security measures are used. Bad reputations suggest strong filtering.

March 2023 - DeliverabilityBlog.com
Marketer view

Email marketer from EmailSecurityForums explains that looking at the HELO domain in the email header might expose known filter providers. This helps ID if a company is using filters.

December 2022 - EmailSecurityForums

What the experts say
4Expert opinions

Identifying if a company uses email filtering/security measures involves several expert approaches. One involves classifying filters based on MX records, achieving a high classification rate. Custom scripts can be used for DNS lookups and data consolidation. Bounce messages and email headers can expose filtering services when analyzed for patterns and identifiers. Appliance-based filters may require deeper inspection beyond MX records, such as connection behavior and common filter appliances.

Key opinions

  • MX Classification: Extensive classification of filters can be achieved based on MX records.
  • Custom DNS Lookup: Custom scripts can be used to perform DNS lookups, store results, and consolidate data for MX record analysis.
  • Header Analysis: Analyzing bounce messages and email headers for specific identifiers can detect filtering services.
  • Appliance Filters: Appliance-based filters require analysis of bounce messages and connection behavior.

Key considerations

  • Classification Accuracy: While MX-based classification can be effective, it may not capture all filtering solutions (75-80% in the example).
  • Data Handling: Managing and cleaning DNS lookup data requires custom scripting and data manipulation.
  • Pattern Recognition: Successfully identifying filtering services from headers requires knowledge of common signatures and patterns.
  • In-depth Inspection: Appliance-based filters require a deeper level of inspection, including bounce messages and connection behavior which may be more technical.
Expert view

Expert from Word to the Wise shares that by analyzing bounce messages and email headers for specific identifiers, one can often detect the presence of filtering services like Proofpoint or Mimecast. The key is to look for patterns and known signatures within the data.

May 2024 - Word to the Wise
Expert view

Expert from Spam Resource explains that appliance-based filters may not always be identifiable via MX records, requiring deeper inspection of bounce messages and connection behavior. However, one strategy is to look at common filtering appliances such as Barracuda.

September 2024 - Spam Resource
Expert view

Expert from Email Geeks explains they have an extensive classification of filters based on MXs, and they can get about 75-80% of a list classified by the first hop filter.

February 2023 - Email Geeks
Expert view

Expert from Email Geeks shares they have clients send a list of domains, then they drop them in a database where they have custom scripts that do DNS lookups and store the results and cleans up the records to consolidate them and labels the ones they know of.

September 2024 - Email Geeks

What the documentation says
4Technical articles

Identifying if a company uses email filtering/security measures such as Mimecast or Proofpoint can be achieved by leveraging various documentation resources. Google's documentation highlights using `dig` commands or the Google Admin Toolbox to inspect MX records, revealing the first-hop server. MXToolbox's resources offer online tools for analyzing MX records and DNS settings to identify common filtering services. Proofpoint's documentation advises examining email headers for Proofpoint-specific markers like 'X-Proofpoint-SPF'. Similarly, Mimecast's documentation notes the addition of 'X-Mimecast' headers to processed emails.

Key findings

  • MX Record Lookup: MX records can expose the first-hop server, potentially indicating the use of filtering services.
  • MXToolbox Analysis: MXToolbox provides tools for analyzing MX records and DNS settings.
  • Proofpoint Headers: Proofpoint adds specific headers (e.g., 'X-Proofpoint-SPF') to processed emails.
  • Mimecast Headers: Mimecast adds 'X-Mimecast' headers to processed emails.

Key considerations

  • Technical Proficiency: Using `dig` commands requires technical proficiency.
  • Header Variation: Header formats can vary, so understanding the specific headers added by each service is essential.
  • False Negatives: The absence of expected headers doesn't definitively mean a service isn't used, as configurations may vary.
  • Tool Limitations: Online tools like MXToolbox may have limitations or require paid subscriptions for full functionality.
Technical article

Documentation from Proofpoint answers that email headers often include information indicating that Proofpoint has processed the message. Look for "X-Proofpoint-SPF" or similar headers.

October 2023 - Proofpoint
Technical article

Documentation from MXToolbox explains that using MXToolbox's online tools can provide information about a domain's MX records and DNS settings. This can help identify if common filtering services are being used.

June 2023 - MXToolbox
Technical article

Documentation from Mimecast indicates that Mimecast adds specific headers like 'X-Mimecast' to processed emails. Their presence confirms Mimecast is used.

March 2024 - Mimecast
Technical article

Documentation from Google explains how to use the `dig` command or Google Admin Toolbox to find MX records. These records can reveal the first hop server, potentially exposing the use of filtering services.

April 2023 - Google