One of the most useful elements of contact information you can gather is an email address. Email is the main point of internal and external contact for many individuals in many organizations. It is also a common vector for soliciting information about people and organizations, as well as more intrusive social engineering attacks. Email addresses are also commonly used in place of user names in systems that manage user accounts. This can make it easier for you to focus your online password cracking attacks or other techniques for gaining unauthorized access.

In addition to email addresses themselves, you should also consider enumerating email-based DNS records. An MX record will tell you which server handles mail sent to that domain. If you can successfully compromise mail servers, you can effectively compromise the lines of communication within the domain. Another DNS record of note is Sender Policy Framework (SPF). SPF validates that incoming mail from a domain is coming from a trusted IP address. This is an effort to mitigate email spoofing used in spam, phishing, and other email-based attacks. For the pen test, identifying the presence of an SPF record may encourage you not to waste your time on spoofing messages; alternatively, you might focus your efforts on targeting the host with the trusted IP address identified in the record.