instagram arrow-down
Kalle Lilja

Archives

Check Exchange Accepted Domains usage via DNS with Powershell

When running any version of Microsoft Exchange infrastructure, be it for internal use or customer facing it’s always a good idea to keep the Accepted Domains list as up to date and correct as possible due to the fact that miss-configurations may lead to users being able to send mail without them actually arriving at the intended inbox.

There are of course numerous ways to determine whether or not an accepted domain is in use, a quick one from the top of my head would be to check the domains external MX records, if they point back to This Exchange system as per configuration guidelines the domains must in some way still be active.
MX records can be checked via the nslookup command using this syntax nslookup -q=mx domain DNS.

C:\Windows\System32\nslookup -q=mx contoso.com 8.8.8.8
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
contoso.com     MX preference = 10, mail exchanger = mail.global.frontbridge.com

I’ve cobbled together a PowerShell script that uses the Exchange command Get-AcceptedDomain to get a list of all configured Accepted Domains in the environment, then proceeds to check the domains MX records via Googles public DNS 8.8.8.8 in two ways, the first way, “hard”, not only checks if the configuration includes the MX address but also if it has the in your eyes correct preference value, the second way, “soft”, simply makes sure the the MX address is included Somewhere.

I’ve distributed the script Get-AcceptedDomainMX.ps1 over on GitHub as well as below.

<#
    .SYNOPSIS
    Performs external MX queries for all found configured AcceptedDomains in Exchange environment.
    .DESCRIPTION
    The script retrieves All configured AcceptedDomains in Exchange environment and checks the corresponding domain names for MX pointers via Googles public 8.8.8.8 NS server.
    This is a quick at-a-glance way to tell if a domain is no longer in use in the environment.
    Especially useful in Hosted solutions.
    .INPUTS
    None
    .OUTPUTS
    Two results generated;
    .\AcceptedDomainMXlookup_HARD.txt.
    Correct if MX = "MX preference = 10, mail exchanger = mx.domain.com".
    eg, only "correctly" configured domains.
    .\AcceptedDomainMXlookup_SOFT.txt.
    Correct if MX inc "mx.domain.com".
    eg, working, but not "correct".
    .EXAMPLE
    .\Get-AcceptedDomainMX.ps1
    .NOTES
    You need to run this script with Exchange modules enabled as to be able to use 'Get-AcceptedDomain'.
    No changes are made to the Exchange environment.
    .NOTES
    Remember to swap the # Variables to match your settings.
#>

# Set Error Action to Silently Continue
    $ErrorActionPreference = "SilentlyContinue"

# Variables
    $mxHard = "MX preference = 10, mail exchanger = mx.domain.com"
    $mxSoft = "*mx.domain.com*"
    $dnsServer = "8.8.8.8"
    $domains = Get-AcceptedDomain
    $targetDir = ".\"

# Check for MX - HARD
    $output = foreach ($domain in $domains) {
        $nslookup = C:\Windows\system32\nslookup.exe -q=mx $domain.DomainName $dnsServer 2>$NULL
        if ($nslookup -match $mxHard) {
            Write-Host Correct: $domain.DomainName
            Write-Output "Correct: $($domain.DomainName)"
            Write-Output ""
        } else {
            Write-Host INCORRECT: $domain.DomainName
            Write-Output "INCORRECT: $($domain.DomainName)"
            Write-Output "Output from nslookup:"
            Write-Output "$nslookup"
            Write-Output ""
        }
    }
    $output | Out-File -filepath "$targetDir\AcceptedDomainMXlookup_HARD.txt"

# Check for MX - Soft
    $output = foreach ($domain in $domains) {
        $nslookup = C:\Windows\system32\nslookup.exe -q=mx $domain.DomainName $dnsServer 2>$NULL
        if ($nslookup -like $mxSoft) {
            Write-Host Correct: $domain.DomainName
            Write-Output "Correct: $($domain.DomainName)"
            Write-Output ""
        } else {
            Write-Host INCORRECT: $domain.DomainName
            Write-Output "INCORRECT: $($domain.DomainName)"
            Write-Output "Output from nslookup:"
            Write-Output "$nslookup"
            Write-Output ""
        }
    }
    $output | Out-File -filepath "$targetDir\AcceptedDomainMXlookup_SOFT.txt"