Skip to content

The MX Record: Who receives your emails has more power than you think

Password resets, contracts, 2FA codes – everything runs through email. And the MX record decides where it all lands.

What is an MX record?

The MX record (Mail Exchange Record) defines which server accepts emails for your domain. When someone sends a mail to you@your-domain.com, the sending mail server first queries the MX record – and delivers the mail to the server listed there.

MX records have a priority (lower number = higher priority), so fallback servers can be defined. But at its core it's simple: The MX record tells the internet where your emails go.

Why is it so critical?

Email is still the central trust anchor on the internet. Not because email is secure – but because almost everything builds on it:

• Password reset links
• 2FA backup codes
• Contract confirmations and invoices
• Platform and service invitations
• Domain verifications ("Confirm your email address")

Whoever receives your emails can reset passwords, take over accounts, confirm contracts, and impersonate you. Without ever touching your actual system.

What does an attack look like?

Scenario 1: An attacker changes your MX record to point to a server they control. From now on, they receive all incoming emails for your domain. They reset passwords on SaaS tools, take over accounts, and read confidential communication.

Scenario 2: The attacker adds an additional MX record with higher priority. Your actual mail server keeps running – but some emails go to the attacker first. More subtle, harder to detect.

Scenario 3: Business Email Compromise (BEC). The attacker changes the MX record briefly, intercepts a specific email (e.g., an invoice with payment instructions), changes the bank details, and forwards the email. Then they reset the MX record. Everything looks normal – until the money is gone.

Why MFA doesn't help here

MFA protects the login. But if the attacker controls the password reset flow, they don't need a login. They reset the password, receive the reset link via email (because they control the MX record), and log in – without ever bypassing your MFA.

That's the insidious part: MFA protects the door. But the MX record gives the attacker the key to the mailbox where the spare key is kept.

How often do MX records change?

Almost never. You set up your mail server or mail provider once – Google Workspace, Microsoft 365, Fastmail – and then the MX records stay the same for years.

That's exactly why any change is suspicious. If your MX record changes and you haven't switched providers, something is wrong.

What Driftguard detects

Driftguard captures your MX records as a baseline: Which mail servers, which priorities. Every check compares against it. New MX records, changed priorities, removed entries – everything is detected and documented.

You don't just get "MX has changed" – you get the full context: What was before, what is now, when it was detected. So you can decide in seconds: Planned or attack?