Most of what our nightly scan finds is orderly: as of the 2026-07-05 snapshot, 664,715 of the Tranco top-1M domains publish MX records, and the overwhelming majority point where you would expect — Google, Microsoft, a hosting provider, a security gateway. But the long tail contains 36,377 MX hostnames our 310+ classification patterns cannot match to any known provider, and buried in that tail is the good stuff: records that are broken, baffling, or accidentally poetic. Here are our favorite exhibits, each with the operational lesson it quietly teaches. The full long-tail data lives in the long-tail section of our daily email infrastructure report.
Exhibit A: the hostname that needed a deep breath
port-arthur-historic-site-management-authority-mx2.firstcloudsecurity.netAt over 70 characters, this is one of the longest MX targets in the dataset. It is entirely valid — DNS allows labels up to 63 characters and names up to 255 — and to be fair, it is admirably descriptive. You know exactly whose mail this is and which box it is.
The lesson: hostnames are read by machines but typed by humans. Every extra character in an MX target is another chance for a typo in a config file, a truncation in a monitoring dashboard, or a mismatch in a TLS certificate. Descriptive is good; a 70-character name in the hot path of your mail delivery is a bet that nobody will ever have to retype it.
Exhibit B: the typo that ate itself
mx1.123-regmmailsec.protonmail.chailsec.protonmail.ch.co.ukStare at it for a second. Somewhere inside is mailsec.protonmail.ch — twice, overlapping, with a stray .co.uk welded on the end. This is what happens when a paste lands in the middle of an existing value, or when a DNS zone editor "helpfully" appends the zone name to a record that was missing its trailing dot — and nobody looks at the result.
The lesson: DNS zone files have a sharp edge: a name without a trailing dot is relative, and the zone gets appended. Half the mangled records in our dataset have exactly this fingerprint. After any MX change, do the boring thing: dig MX yourdomain.com and read what the world actually sees, not what you meant to type.
Exhibit C: 253 domains whose mail server is named "mail"
Not mail.example.com. Just mail. As of the 2026-07-05 snapshot, 253 top-1M domains publish an MX target that is a single bare label with no dots. It is the same trailing-dot accident as Exhibit B in its purest form — except here the record escaped the zone before being expanded, and now the domain is asking the entire internet to deliver its mail to a host called "mail", resolvable by no one.
The lesson: a syntactically valid record can still be semantically dead, and DNS will not warn you. If you send email for a living, these domains are guaranteed bounces you can filter out before sending — one of several reasons to look up MX records during list hygiene, not after the campaign.
Exhibit D: localhost, tilde, and the sound of silence
The broken-MX census gets better the deeper you go:
- 4,925 domains publish an MX record with an empty target — a record that says "my mail server is" and then says nothing.
- 502 domains point their MX at
localhost, politely instructing every sending server on earth to deliver the mail to itself. - 157 domains point at a literal
~— the home-directory shortcut, promoted to mail infrastructure. Somewhere, a shell expansion did not happen.
Some of these are pure accidents. But many are intentional: an operator trying to say "this domain does not accept mail" and improvising the vocabulary. The improvisations are worse than silence — senders waste connection attempts, retry queues fill, and bounces arrive late and cryptic.
There is an official way to declare a domain no-mail, standardized in 2015: a single MX record with preference 0 and a target of the root — 0 . — the Null MX. Receivers reject immediately, senders get a clean permanent error, and nobody's queue fills with retries. If you own parked domains, this is a one-line kindness to the rest of the internet.
Exhibit E: the government domain behind a security appliance
Scattered through the long tail are government domains whose MX points at a commercial security appliance's hostname — Exhibit A above is itself a public authority routed through a third-party filtering vendor. Nothing is misconfigured here. What is notable is how much the MX record reveals: which vendor guards the gate, and therefore which vendor's filtering quirks, bypass techniques, and CVEs apply.
The lesson: your MX record is public reconnaissance surface. That cuts both ways — researchers and senders can read a domain's security posture from a single lookup, and so can attackers. Publishing an MX is unavoidable if you want mail; knowing what it advertises about you is just good hygiene.
Why we collect these
The curiosities are entertaining, but they earn their place in the dataset for a serious reason: they calibrate everything else. Knowing that 4,925 domains have empty MX targets and 253 point at a bare mail tells you how much of the "unreachable" internet is broken rather than protected, and it keeps our classification pipeline honest about what "has an MX record" actually means. The exhibits above, and the rest of the unmatched long tail, are browsable in the report's long-tail pages — new oddities check in nightly.