Microsoft mishandling example.com

TL;DR: Since at least February 2020, Microsoft's Autodiscover service has incorrectly routed the IANA-reserved example.com to Sumitomo Electric Industries' mail servers at sei.co.jp, potentially sending test credentials there.

Problem

While setting up email@example.com as a dummy account in Outlook (on both Windows and macOS), Outlook consistently auto-configured it to use imapgms.jnet.sei.co.jp (IMAP) and smtpgms.jnet.sei.co.jp (SMTP) despite example.com being an IANA-reserved domain that should not resolve to real services.

The same behavior appeared on different machines, profiles, networks, and DNS resolvers, including a newly provisioned Windows 365 Cloud PC:

Confirmation

DNS verification

Confirm that example.com has no DNS records pointing to sei.co.jp:

% dig MX example.com +short
0 .

% dig CNAME autodiscover.example.com +short
(no response)

% dig SRV _autodiscover._tcp.example.com +short
(no response)

The domain has a null MX record (indicating it doesn't accept email) and no Autodiscover DNS entries, confirming the misconfiguration exists entirely within Microsoft's database.

Microsoft autodiscover API response

Microsoft's Autodiscover service misconfiguration can be confirmed via curl -v -u "email@example.com:password" "https://prod.autodetect.outlook.cloud.microsoft/autodetect/detect?app=outlookdesktopBasic":

View full output


* Host prod.autodetect.outlook.cloud.microsoft:443 was resolved.
* IPv6: (none)
* IPv4: 172.169.69.94
*   Trying 172.169.69.94:443...
* Connected to prod.autodetect.outlook.cloud.microsoft (172.169.69.94) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-AES256-GCM-SHA384 / [blank] / UNDEF
* ALPN: server accepted h2
* Server certificate:
*  subject: C=US; ST=WA; L=Redmond; O=Microsoft Corporation; CN=autodetect.outlookmobile.com
*  start date: Nov  1 12:31:46 2025 GMT
*  expire date: Jan 30 12:31:46 2026 GMT
*  subjectAltName: host "prod.autodetect.outlook.cloud.microsoft" matched cert's "*.autodetect.outlook.cloud.microsoft"
*  issuer: C=US; O=Microsoft Corporation; CN=Microsoft Azure RSA TLS Issuing CA 03
*  SSL certificate verify ok.
* using HTTP/2
* Server auth using Basic with user 'email@example.com'
* [HTTP/2] [1] OPENED stream for https://prod.autodetect.outlook.cloud.microsoft/autodetect/detect?app=outlookdesktopBasic
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: prod.autodetect.outlook.cloud.microsoft]
* [HTTP/2] [1] [:path: /autodetect/detect?app=outlookdesktopBasic]
* [HTTP/2] [1] [authorization: Basic ZW1haWxAZXhhbXBsZS5jb206cGFzc3dvcmQ=]
* [HTTP/2] [1] [user-agent: curl/8.7.1]
* [HTTP/2] [1] [accept: */*]
> GET /autodetect/detect?app=outlookdesktopBasic HTTP/2
> Host: prod.autodetect.outlook.cloud.microsoft
> Authorization: Basic ZW1haWxAZXhhbXBsZS5jb206cGFzc3dvcmQ=
> User-Agent: curl/8.7.1
> Accept: */*
> 
* Request completely sent off
< HTTP/2 200 
< content-type: application/json; charset=utf-8
< date: Mon, 08 Dec 2025 21:32:58 GMT
< server: Kestrel
< strict-transport-security: max-age=2592000
< x-olm-source-endpoint: /detect
< x-provider-id: seeatest
< x-debug-support: eyJkZWNpc2lvbiI6ImF1dG9EdjIgPiBhdXRvRHYxID4gZml4ZWQgZGIgcHJvdmlkZXIgPiBmaXhlZCBkYiBkb21haW4gcHJvdG9jb2xzID4gZGIgcHJvdmlkZXIgPiBkYiBkb21haW4gcHJvdG9jb2xzIiwiYXV0b0QiOnsidjIiOm51bGwsInYxIjpudWxsfSwiZGIiOnsicHJvdmlkZXIiOnsiRG9tYWluSWQiOm51bGwsIklkIjoic2VlYXRlc3QiLCJTZXJ2aWNlIjpudWxsLCJQcm90b2NvbHMiOlt7InByb3RvY29sIjoic210cCIsIkRvbWFpbiI6bnVsbCwiSG9zdG5hbWUiOiJzbXRwZ21zLmpuZXQuc2VpLmNvLmpwIiwiUG9ydCI6NDY1LCJFbmNyeXB0aW9uIjoiU3NsIiwiSXNDcm93ZHNvdXJjZWQiOm51bGwsIkZlZWRiYWNrcyI6bnVsbCwiSW5zZWN1cmUiOm51bGwsIlNlY3VyZSI6IlRydWUiLCJVc2VybmFtZSI6IntlbWFpbH0iLCJWYWxpZGF0ZWQiOmZhbHNlLCJBdXRvZGlzY292ZXIiOm51bGwsIkFhZCI6bnVsbH0seyJwcm90b2NvbCI6ImltYXAiLCJEb21haW4iOm51bGwsIkhvc3RuYW1lIjoiaW1hcGdtcy5qbmV0LnNlaS5jby5qcCIsIlBvcnQiOjk5MywiRW5jcnlwdGlvbiI6IlNzbCIsIklzQ3Jvd2Rzb3VyY2VkIjpudWxsLCJGZWVkYmFja3MiOm51bGwsIkluc2VjdXJlIjpudWxsLCJTZWN1cmUiOiJUcnVlIiwiVXNlcm5hbWUiOiJ7ZW1haWx9IiwiVmFsaWRhdGVkIjpmYWxzZSwiQXV0b2Rpc2NvdmVyIjpudWxsLCJBYWQiOm51bGx9XSwiQ3JlYXRlZEF0IjoiMjAyMC0wMi0wM1QwNTozMToyMy4yOTgwMjQ4IiwiVXBkYXRlZEF0IjoiMjAyMC0wMi0wM1QwOToxMjo1OS4wMjQ1ODciLCJQcmVkaWNhdGVzIjpudWxsLCJBdXRvRHYyRW5kcG9pbnQiOm51bGwsIkNvbW1lbnQiOm51bGwsIkZlZWRiYWNrcyI6bnVsbCwiSXNDcm93ZHNvdXJjZWQiOmZhbHNlfSwiZG9tYWluIjp7ImZpeGVkIjpmYWxzZSwiYXV0b0R2MkVuZHBvaW50IjpudWxsLCJwcm92aWRlcklkIjoic2VlYXRlc3QiLCJwcm90b2NvbHMiOm51bGx9fX0=
< x-autodv2-error: ENOTFOUND
< x-feedback-token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJEIjoiZXhhbXBsZS5jb20iLCJQSSI6InNlZWF0ZXN0IiwiUyI6W10sIlAiOlsiaW1hcHM6Ly9pbWFwZ21zLmpuZXQuc2VpLmNvLmpwOjk5MyIsInNtdHBzOi8vc210cGdtcy5qbmV0LnNlaS5jby5qcDo0NjUiXSwiUFQiOiJpbWFwIHNtdHAiLCJleHAiOjE3NjUyMzMxNzgsImlhdCI6MTc2NTIyOTU3OH0.-ohD7c9hytRZK_b4EJ0M5Tke7hl8u1wjsMYRV71GZik
< x-dns-prefetch-control: off
< x-frame-options: SAMEORIGIN
< x-download-options: noopen
< x-content-type-options: nosniff
< x-xss-protection: 1; mode=block
< x-instance-id: autodetect-deployment-76fffc487d-wfs4b
< x-response-time: 3472 ms
< x-request-id: f1b6525f-6d11-4add-a0e4-0b677d89f9eb
< x-autodetect-cv: f1b6525f-6d11-4add-a0e4-0b677d89f9eb
< 
* Connection #0 to host prod.autodetect.outlook.cloud.microsoft left intact
{"email":"email@example.com","services":[],"protocols":[{"protocol":"imap","hostname":"imapgms.jnet.sei.co.jp","port":993,"encryption":"ssl","username":"email@example.com","validated":false},{"protocol":"smtp","hostname":"smtpgms.jnet.sei.co.jp","port":465,"encryption":"ssl","username":"email@example.com","validated":false}]}%

The JSON response:

{
  "email": "email@example.com",
  "services": [],
  "protocols": [
    {
      "protocol": "imap",
      "hostname": "imapgms.jnet.sei.co.jp",
      "port": 993,
      "encryption": "ssl",
      "username": "email@example.com",
      "validated": false
    },
    {
      "protocol": "smtp",
      "hostname": "smtpgms.jnet.sei.co.jp",
      "port": 465,
      "encryption": "ssl",
      "username": "email@example.com",
      "validated": false
    }
  ]
}

Decoded debug header

The x-debug-support header (Base64-decoded) reveals additional details:

Field	Value
Provider ID	`seeatest`
Created	2020-02-03 05:31:23 UTC
Updated	2020-02-03 09:12:59 UTC
IsCrowdsourced	`false`

This misconfiguration has existed for nearly six years and was not crowdsourced. It appears to have been manually added to Microsoft's database.

Concerns

Credential exposure risk: If a user enters real credentials while testing with example.com, those credentials could be sent to sei.co.jp's mail servers.
Trust model violation: IANA reserved example.com specifically for safe use in documentation and testing; Microsoft's database entry undermines that.
Database poisoning precedent: Microsoft's Autodiscover database can silently redirect users to unintended third-party servers.

❧ 2026-01-01