The Simple Mail Transfer Protocol (SMTP) is the internet standard protocol for sending electronic mail (email). It’s an Application Layer (Layer 7) protocol in the TCP/IP model and is responsible for pushing email messages from a sender’s mail client to a mail server, or between mail servers.

Think of SMTP as the digital equivalent of a postal service that picks up your letter, routes it through various post offices, and finally delivers it to the recipient’s local post office.

How SMTP Works (The Mail Delivery Process):

SMTP works in conjunction with other protocols (like DNS) and involves several components:

1. Mail User Agent (MUA) / Email Client: This is the software you use to compose and read emails (e.g., Outlook, Gmail in a browser, Apple Mail, Thunderbird).

2. Mail Submission Agent (MSA): This is the component of your outgoing mail server that receives emails from your MUA. When you click “Send,” your email client connects to your configured outgoing SMTP server.

3. Mail Transfer Agent (MTA): This is the core component responsible for transferring (relaying) emails between mail servers. An SMTP server typically runs an MTA.

4. Mail Delivery Agent (MDA): This is the component of the recipient’s mail server that receives emails from MTAs and places them into the recipient’s inbox (mailbox).

Here’s the typical flow when you send an email:

1. You compose an email in your MUA (e.g., Outlook).

2. Your MUA connects to your outgoing SMTP server (MSA): When you hit “Send,” your MUA establishes a TCP connection (typically on port 587 or 465, historically 25) to your configured outgoing SMTP server.

3. SMTP Conversation (Commands and Responses): Your MUA and the SMTP server engage in a series of commands and responses:

   • HELO/EHLO: The client identifies itself (e.g., EHLO mycomputer.example.com).

   • MAIL FROM: The client specifies the sender’s email address (e.g., MAIL FROM:<you@yourdomain.com>).

   • RCPT TO: The client specifies the recipient’s email address (e.g., RCPT TO:<recipient@otherdomain.com>). This command can be issued multiple times for multiple recipients.

   • DATA: The client indicates that the actual email content (headers like Subject, To, From, and the email body) will follow. The server then waits for the data.

   • Email Content: The client sends the full email message.

   • End of Data: The client sends a special sequence (a single dot . on a line by itself) to signal the end of the email data.

   • Server Acknowledges: The server processes the email and sends a response indicating whether the message was accepted for delivery.

4. Server-to-Server Relay (MTA to MTA):

   • Your outgoing SMTP server (acting as an MTA) looks at the recipient’s email address (e.g., recipient@otherdomain.com).

   • It uses DNS (Domain Name System) to find the Mail Exchange (MX) record for otherdomain.com. The MX record tells it the IP address of the recipient’s mail server.

   • Your SMTP server then establishes a new TCP connection to the recipient’s SMTP server (another MTA, typically on port 25).

   • It repeats the SMTP conversation (HELO, MAIL FROM, RCPT TO, DATA) to transfer the email message.

5. Final Delivery (MTA to MDA):

   • The recipient’s SMTP server (MTA) receives the email.

   • Its Mail Delivery Agent (MDA) takes the message and places it into the correct recipient’s mailbox on that server.

6. Recipient Retrieval (POP3/IMAP):

   • When the recipient checks their email using their MUA, it connects to their mail server using a different protocol:

     • POP3 (Post Office Protocol 3): Downloads emails from the server to the client and often deletes them from the server.

     • IMAP (Internet Message Access Protocol): Keeps emails on the server and synchronizes them across multiple devices.

Crucially, SMTP is a “push” protocol (for sending), while POP3/IMAP are “pull” protocols (for receiving).

SMTP Ports:

SMTP uses several well-known TCP ports:

• Port 25 (SMTP Relay):

  • Historically the primary port for SMTP.

  • Still used for server-to-server email relay (MTA to MTA communication).

  • Often blocked by ISPs for outgoing connections from residential users to combat spam, as it was widely abused by spammers.

  • Generally not recommended for email client (MUA) submission unless strictly necessary and secured.

• Port 587 (SMTP Submission – Recommended):

  • This is the standard and recommended port for email clients (MUAs) to submit outgoing mail to their mail server.

  • It supports STARTTLS, which initiates a plaintext connection and then upgrades it to an encrypted (TLS/SSL) connection if both client and server support it.

  • Requires authentication (username and password), preventing unauthorized relaying.

• Port 465 (SMTPS – Legacy):

  • This port was once registered for SMTPS (SMTP Secure), which implies that the connection is encrypted with SSL/TLS from the very beginning (implicit TLS).

  • It was officially deprecated by RFCs in favor of STARTTLS on port 587, but many legacy systems and some email providers still support it.

• Port 2525 (Alternative):

  • Not an official SMTP port, but often used as an alternative or fallback port for SMTP submission when ports 587 or 465 are blocked by firewalls or ISPs. It also supports encryption.

SMTP Security:

Originally, SMTP was designed without security in mind, leading to significant vulnerabilities:

• Plaintext Communication: By default, SMTP transmitted all data, including usernames, passwords, and email content, in unencrypted plaintext. This made it highly vulnerable to eavesdropping and credential theft.

• Open Relays: Misconfigured SMTP servers could be “open relays,” meaning they would accept and forward emails from anyone, regardless of whether they were authorized. This was heavily exploited by spammers.

• Email Spoofing: SMTP has no built-in mechanism to verify the sender’s identity, making it easy to forge the “From” address (email spoofing).

To address these issues, modern email systems use several security enhancements:

• STARTTLS (Explicit TLS): As mentioned, this allows an SMTP connection to start unencrypted and then switch to an encrypted TLS/SSL session. This is the primary method for securing SMTP traffic on ports 587 and 25 (if supported).

• SMTPS (Implicit TLS): Encryption is assumed from the start of the connection on ports like 465.

• Authentication: Requires users to provide a username and password before they can send mail through the server.

• Email Authentication Protocols: These don’t encrypt the email content, but they help verify sender identity and prevent spoofing:

  • SPF (Sender Policy Framework): Allows domain owners to publish a list of authorized mail servers that can send email on behalf of their domain.

  • DKIM (DomainKeys Identified Mail): Adds a digital signature to outgoing emails, allowing recipients to verify that the email was sent by the domain owner and has not been tampered with.

  • DMARC (Domain-based Message Authentication, Reporting & Conformance): Builds on SPF and DKIM, allowing domain owners to specify how receiving mail servers should handle emails that fail SPF or DKIM checks (e.g., quarantine, reject, or allow) and to receive reports on their email authentication status.

SMTP is the backbone of email communication, tirelessly pushing messages across the internet. While its original design had significant security flaws, the addition of TLS/SSL encryption and authentication mechanisms has made it much more secure for modern use.