[dkga]

I am curious: can something like this be used to check the provider handling the e-mails of, say, groups of companies? I ask this because I am a research economist, and part of my research is in the intersection of tech and economics/finance. So for example, I would be delighted to check the e-mail providers of S&P 500 companies and then check whether outages or bad news related to their e-mail providers (proxying for their broader application) also translates to lower returns in the client firms.

[slow_typist]

Like municipalities, companies have domains. So in short, yes, if you have a list of domains of the population you are interested in. The DNS tells which server handles incoming email, that is public information. The detection part (who is the provider, what kind of system do they use) can be trickier. You have probably noted the confidence levels given if you click on a certain municipal body. It could be fingerprinting, standard tool to do this would be nmap, or interpretation of the DNS responses, or a combination, or something else (like sending emails and hoping for a response that tells something about the system it went through).

[gwittel]

Yes. In the past I helped sort out tooling like this for competitive analysts. There are a few ways this is done:

1) Check the businesses’ MX record. Often this points to a third party provider like Microsoft or Google. 2) Connect to the mail server identified in the MX record. Sometimes these have banners that identify the vendor (vs something generic like sendmail) 3) Email headers from messages sent to users in the company (or sometimes a bounce). Often these have headers from one or more providers. You’ll have to sort out the path to understand which bits were added by the sender/recipient path though.

These days often companies have multiple providers (security) so they might have one at the edge (mx) and more internal hops. You can usually see these in the headers.

[jbrob]

To do it manually, have a look at e.g. https://toolbox.googleapps.com/apps/dig/#MX/ and enter a domain name (say total.com). Here you'll see that total.com uses outlook.com as their e-mail service. Given a list of domains, something like this can be automated easily enough.