Reverse MX Lookup — Domains Sharing Mail Infrastructure

MX records specify which hosts receive SMTP for a domain. Those hosts resolve to IPs operated by mailbox providers or custom mail clusters. When multiple domains share mail IPs — common on shared hosting SMTP relays — reverse-IP lists surface co-tenant mail neighbors.

Our reverse MX lookup resolves your MX hostname, then applies the same reverse-IP mechanics as nameserver correlation but focused on mail paths — valuable when investigating spam campaigns sharing cheap hosting SMTP relays.

Paste the target from MX record priority entries — mail.example.com, mx.zoho.com, or provider-specific patterns. Do not paste recipient email addresses — hostnames only. mxHost echoes normalized input for audit logs.

Typo MX hosts fail DNS resolution with error text before reverse-IP runs.

First mxIps entry geolocates for org, asn, and country — identifying whether mail flows through Google, Microsoft, regional ISP relays, or dedicated hosting SMTP nodes. This context helps interpret unrelated domain counts on hyperscaler MX pools versus small shared host relays.

Country reflects IP registration metadata, not mail sender locale.

Google Workspace and Microsoft 365 MX hostnames resolve to massive shared infrastructure — relatedDomains may list thousands of unrelated businesses. domainCount high on aspmx.l.google.com is expected infrastructure scale, not proof domains coordinate maliciously.

Small hosting provider MX relays with dozens of related domains warrant closer neighbor content review for spam collateral.

Commercial passive DNS indexes historical MX record observations across the web — answering which domains ever pointed MX at a hostname. Our note states we correlate via resolved mail IP reverse-IP instead — catching co-residents on same SMTP IP today but missing domains using same MX hostname on different anycast answers.

Use email deliverability checker for SPF/DKIM/DMARC on individual domains; use this tool for infrastructure pivoting.

Analysts extract MX from phishing domain DNS, pivot to relatedDomains on same SMTP IP, and prioritize review of neighbors for similar lure templates. Shared relay compromise affects all domains on that relay — provider abuse reports reference mail IP and timestamps.

Combine with abuse contact finder on SMTP IP when reporting outbound spam from shared relays.

Display lists cap at one hundred domains. truncated true when more exist. domainCount preserves full cardinality for analyst notes even when UI slices samples.

Batch pivot jobs should cache MX resolutions — DNS answers are stable short term but change during mail migrations.

Current workflow resolves IPv4 A records on MX hostnames. IPv6-only mail without A records returns empty mxIps — try alternate legacy MX hostnames or A record subdomains when providers publish both.

AAAA-only mail adoption remains minority — IPv4 correlation still covers most shared hosting relays.

Reverse NS lookup pivots on authoritative DNS infrastructure. Email deliverability checker validates SPF alignment on a domain. IP reputation checker scores SMTP IP blacklist status before trusting relay reputation.

Shared hosting detector assesses web IP density separately — mail and web may use different IPs on same provider.

Extended API action reverse-mx-lookup accepts host or query with MX hostname. Parse mxIps, relatedDomains, org, asn, and domainCount for SOAR playbooks.

Filter relatedDomains client-side when provider pools exceed practical review size — focus on counts and org metadata instead.