How to Tell Which Email Provider a Domain Uses
Learn how to tell whether a domain uses Google Workspace, Microsoft 365, or another mail provider by reading MX, SPF, DKIM, and related DNS patterns.
Tools For This Topic
Why provider fingerprints show up in DNS
Mail providers leave recognisable patterns in DNS because they need customers to publish provider-specific MX records, SPF includes, DKIM selectors, and sometimes additional policy or verification records.
That means you can often tell which mail platform a domain uses without logging into the tenant, simply by reading the DNS records carefully.
Signals that usually identify the provider
- MX hostnames that clearly map to Google Workspace or Microsoft 365
- SPF include mechanisms such as spf.protection.outlook.com
- DKIM selector conventions used by a particular provider
- Additional security layers such as Mimecast, Proofpoint, or other gateways appearing in MX or TXT records
- Verification records or hosted-service fingerprints that support the same conclusion
Why one signal is not always enough
Domains often use more than one provider at once. A company may deliver through Microsoft 365, sign with a third-party bulk sender, filter inbound mail through a gateway, and still carry old verification records from a previous migration.
Because of that, provider detection works best when you compare multiple record types instead of relying on MX alone.
A practical provider-detection workflow
- Check MX first to see where inbound mail is directed
- Review SPF to identify outbound sending services
- Inspect DKIM selectors to spot signing providers
- Check DMARC, MTA-STS, TLS-RPT, and BIMI for overall mail maturity
- Compare what you find with known provider setup patterns
That workflow helps you separate inbound routing, outbound sending, and signing behaviour. Those roles are often split across different services, so treating them as separate questions usually produces better conclusions.
Common reasons the picture looks messy
Migrations, hybrid environments, and layered email security often leave mixed signals in DNS. A domain may be partly moved to a new provider while still depending on old records or gateway services. That does not always indicate a problem, but it does mean the environment deserves a closer review.
When in doubt, treat DNS provider fingerprints as evidence of a pattern, not as legal proof of the exact tenant design.
This is especially important in larger organisations where different business units may use different outbound platforms while still sharing one visible domain. The DNS can reflect that complexity even when the environment is functioning normally.
Related tools and guides
Related Articles
DNS Records Required for Google Workspace (Complete Setup Guide)
Complete guide to Google Workspace DNS records including MX, SPF, DKIM, DMARC, and domain verification. Includes real record examples and setup best practices.
DNS Records Required for Microsoft 365 (Complete Setup Guide)
Complete guide to Microsoft 365 DNS records including MX, SPF, CNAME, DKIM, and DMARC. Includes real record examples and migration best practices.
How to Identify a Hosted Service from DNS Clues
Learn how to identify a hosted service or platform from DNS clues such as CNAME targets, MX patterns, TXT records, and provider-specific hostname conventions.