When running any version of Microsoft Exchange infrastructure, be it for internal use or customer facing it’s always a good idea to keep the Accepted Domains list as up to date and correct as possible due to the fact that miss-configurations may lead to users being able to send mail without them actually arriving at the intended inbox.
There are of course numerous ways to determine whether or not an accepted domain is in use, a quick one from the top of my head would be to check the domains external MX records, if they point back to This Exchange system as per configuration guidelines the domains must in some way still be active.
MX records can be checked via the nslookup
command using this syntax nslookup -q=mx domain DNS
.
C:\Windows\System32\nslookup -q=mx contoso.com 8.8.8.8 Server: google-public-dns-a.google.com Address: 8.8.8.8 Non-authoritative answer: contoso.com MX preference = 10, mail exchanger = mail.global.frontbridge.com
I’ve cobbled together a PowerShell script that uses the Exchange command Get-AcceptedDomain
to get a list of all configured Accepted Domains in the environment, then proceeds to check the domains MX records via Googles public DNS 8.8.8.8 in two ways, the first way, “hard”, not only checks if the configuration includes the MX address but also if it has the in your eyes correct preference value, the second way, “soft”, simply makes sure the the MX address is included Somewhere.
I’ve distributed the script Get-AcceptedDomainMX.ps1 over on GitHub as well as below.
<# .SYNOPSIS Performs external MX queries for all found configured AcceptedDomains in Exchange environment. .DESCRIPTION The script retrieves All configured AcceptedDomains in Exchange environment and checks the corresponding domain names for MX pointers via Googles public 8.8.8.8 NS server. This is a quick at-a-glance way to tell if a domain is no longer in use in the environment. Especially useful in Hosted solutions. .INPUTS None .OUTPUTS Two results generated; .\AcceptedDomainMXlookup_HARD.txt. Correct if MX = "MX preference = 10, mail exchanger = mx.domain.com". eg, only "correctly" configured domains. .\AcceptedDomainMXlookup_SOFT.txt. Correct if MX inc "mx.domain.com". eg, working, but not "correct". .EXAMPLE .\Get-AcceptedDomainMX.ps1 .NOTES You need to run this script with Exchange modules enabled as to be able to use 'Get-AcceptedDomain'. No changes are made to the Exchange environment. .NOTES Remember to swap the # Variables to match your settings. #> # Set Error Action to Silently Continue $ErrorActionPreference = "SilentlyContinue" # Variables $mxHard = "MX preference = 10, mail exchanger = mx.domain.com" $mxSoft = "*mx.domain.com*" $dnsServer = "8.8.8.8" $domains = Get-AcceptedDomain $targetDir = ".\" # Check for MX - HARD $output = foreach ($domain in $domains) { $nslookup = C:\Windows\system32\nslookup.exe -q=mx $domain.DomainName $dnsServer 2>$NULL if ($nslookup -match $mxHard) { Write-Host Correct: $domain.DomainName Write-Output "Correct: $($domain.DomainName)" Write-Output "" } else { Write-Host INCORRECT: $domain.DomainName Write-Output "INCORRECT: $($domain.DomainName)" Write-Output "Output from nslookup:" Write-Output "$nslookup" Write-Output "" } } $output | Out-File -filepath "$targetDir\AcceptedDomainMXlookup_HARD.txt" # Check for MX - Soft $output = foreach ($domain in $domains) { $nslookup = C:\Windows\system32\nslookup.exe -q=mx $domain.DomainName $dnsServer 2>$NULL if ($nslookup -like $mxSoft) { Write-Host Correct: $domain.DomainName Write-Output "Correct: $($domain.DomainName)" Write-Output "" } else { Write-Host INCORRECT: $domain.DomainName Write-Output "INCORRECT: $($domain.DomainName)" Write-Output "Output from nslookup:" Write-Output "$nslookup" Write-Output "" } } $output | Out-File -filepath "$targetDir\AcceptedDomainMXlookup_SOFT.txt"