Dangling DNS MX http://dnsinstitute.com/research/dangling-mx/
Dangling MX Targets for Resell https://dnsinstitute.com/research/dangling-mx/dangling-mx-resell.html
1. whois
PDF screenshot This paper shares examples of a novel approach to finding Dangling DNS targets where, due to typos or lack of tracking, DNS MX records may point to domains that are available for third-party purchase and potentially be abused for impersonation, social engineering attacks, and private information theft with partial (like collect some messages) or complete (for two-way communications) email take over.
http://dnsinstitute.com/research/dangling-mx/dangling-mx-nxdomain-provider-domains.html
IP addresses in mail
2. history
Bracketed IP addresses Numeric MX records Many clients, notably sendmail, support IP addresses in MX records: clueless.net. IN MX 0 192.160.127.125. agi.com. 60 IN MX 450 agi-com.mail.protection.office365.us. agi.com. 60 IN MX 460 65.89.176.39. agi.com. 60 IN MX 480 extnpamr00.agi.com. agi.com. 60 IN MX 500 mail.stk.com. fluistr.com. 14400 IN MX 20 174.138.10.9. flickreel.com. 3600 IN MX 1 213.171.216.40. floridasmart.com. 300 IN MX 1 68.66.224.58. foo.com. 600 IN MX 1000 0.0.0.0. Some clients will skip this MX record, since the name 192.160.127.125 does not exist in DNS. Sites that set up numeric MX records end up losing mail. However, there are thousands of numeric MX records, so I strongly encourage clients to support them.