The correct answer is MX. CEH reconnaissance material explains that MX, or Mail Exchange, records identify the mail servers responsible for receiving email for a domain. When a tester wants to understand how an organization handles incoming email traffic, MX records are the most relevant DNS data source because they reveal the designated mail infrastructure and often the priority order of mail servers. In this scenario, the objective is to gather passive intelligence about communication infrastructure without performing active network probing, so querying DNS records is appropriate. SOA records provide domain authority and zone administration information, TXT records often contain verification or policy-related text such as SPF details, and NS records identify authoritative name servers. While those can all contribute to broader reconnaissance, they do not directly answer which systems are responsible for receiving mail. CEH emphasizes that MX records are commonly used during footprinting to identify email infrastructure, support phishing simulations, analyze third-party mail providers, or map communication dependencies. Because the question explicitly asks for the DNS record type that reveals mail server configuration, MX is the correct choice.