SMTP: Simple Mail Transfer Protocol Explained
SMTP (Simple Mail Transfer Protocol) is the standard protocol for sending email across the internet as defined in RFC 5321. Understanding SMTP is essential for email administrators, developers implementing email functionality, and anyone troubleshooting email delivery issues. This comprehensive guide explains how SMTP works, email delivery process, security considerations, and best practices.
What is SMTP?
SMTP is an internet standard communication protocol for electronic mail transmission. Defined in RFC 5321, SMTP is used by mail servers to send, receive, and relay outgoing mail between email senders and receivers. Learn more about IP reputation and IP blacklisting.
SMTP Basics
Protocol characteristics:
Layer: Application layer (Layer 7)
Transport: TCP
Ports: 25, 587, 465
Purpose: Send/relay email
Direction: Outgoing mail
Authentication: Optional (recommended)
SMTP vs other email protocols:
SMTP: Sending/relaying email
POP3: Retrieving email (download and delete)
IMAP: Retrieving email (sync, server-side storage)
SMTP: Port 25, 587, 465
POP3: Port 110, 995 (SSL)
IMAP: Port 143, 993 (SSL)
Email flow:
Sender → SMTP Server (outgoing) → Internet → SMTP Server (receiving) → Recipient's Mailbox
↓
Multiple hops possible
How SMTP Works
SMTP Session
Basic SMTP conversation:
Client: EHLO client.example.com
Server: 250-mail.example.com Hello client.example.com
250-SIZE 52428800
250-8BITMIME
250-STARTTLS
250 HELP
Client: MAIL FROM:<sender@example.com>
Server: 250 OK
Client: RCPT TO:<recipient@example.com>
Server: 250 OK
Client: DATA
Server: 354 Start mail input; end with <CRLF>.<CRLF>
Client: From: sender@example.com
To: recipient@example.com
Subject: Test Email
This is the email body.
.
Server: 250 OK: queued as 12345
Client: QUIT
Server: 221 Bye
SMTP Commands
Connection commands:
HELO domain: Identify client (old)
EHLO domain: Extended HELO (modern)
QUIT: Close connection
Mail transaction:
MAIL FROM:<email>: Specify sender
RCPT TO:<email>: Specify recipient
DATA: Begin message content
RSET: Reset transaction
Extended commands:
AUTH: Authentication
STARTTLS: Upgrade to encrypted connection
VRFY: Verify email address
EXPN: Expand mailing list
HELP: Get help
SMTP Response Codes
2xx - Success:
220: Service ready
221: Service closing
250: Requested action completed
251: User not local, will forward
3xx - Intermediate:
354: Start mail input
4xx - Temporary failure:
421: Service not available
450: Mailbox unavailable
451: Local error
452: Insufficient storage
5xx - Permanent failure:
500: Syntax error
501: Syntax error in parameters
502: Command not implemented
503: Bad sequence of commands
550: Mailbox unavailable (not found)
551: User not local
552: Exceeded storage allocation
553: Mailbox name not allowed
554: Transaction failed
SMTP Ports
Port 25 (Traditional SMTP)
Purpose:
Server-to-server communication
Mail relay between servers
Original SMTP port
Characteristics:
Unencrypted by default
Often blocked by ISPs
Used for MX record delivery
Not for client submission
ISP blocking:
Reason: Spam prevention
Impact: Can't send from residential IPs
Workaround: Use port 587
Alternative: ISP's SMTP server
Port 587 (Submission)
Purpose:
Client-to-server submission
Email client to mail server
Modern standard for sending
Characteristics:
Requires authentication
STARTTLS encryption
Recommended for clients
Not blocked by ISPs
Configuration:
Port: 587
Encryption: STARTTLS (explicit)
Authentication: Required
Use: Email clients, applications
Port 465 (SMTPS)
Purpose:
SMTP over SSL/TLS
Implicit encryption
Legacy but still used
Characteristics:
Encrypted from start
No STARTTLS needed
Originally deprecated, now valid
Alternative to 587
Status:
Originally: Deprecated
Now: Valid alternative (RFC 8314)
Encryption: Implicit SSL/TLS
Use: Some email providers prefer
Email Delivery Process
Sending Email
Step-by-step:
1. User composes email in client
2. Client connects to SMTP server (port 587)
3. Client authenticates
4. Client sends email via SMTP
5. Server accepts and queues email
6. Server looks up recipient's MX record
7. Server connects to recipient's SMTP server
8. Server delivers email
9. Recipient's server stores email
10. Recipient retrieves via POP3/IMAP
MX Records
DNS MX record:
example.com. IN MX 10 mail1.example.com.
example.com. IN MX 20 mail2.example.com.
Priority: Lower number = higher priority
Backup: Higher priority for failover
MX lookup:
# Check MX records
dig example.com MX
# Or
nslookup -type=MX example.com
# Result:
example.com mail exchanger = 10 mail.example.com.
Delivery process:
1. Look up MX records for recipient domain
2. Sort by priority (lowest first)
3. Try to connect to highest priority server
4. If fails, try next priority
5. Deliver to first available server
Email Headers
Essential headers:
From: sender@example.com
To: recipient@example.com
Subject: Email Subject
Date: Mon, 7 Mar 2024 14:00:00 -0500
Message-ID: <unique-id@example.com>
Routing headers:
Received: from mail.sender.com by mail.recipient.com
Return-Path: <sender@example.com>
Reply-To: reply@example.com
Full email structure:
From: sender@example.com
To: recipient@example.com
Subject: Test Email
Date: Mon, 7 Mar 2024 14:00:00 -0500
Message-ID: <12345@example.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
This is the email body.
SMTP Authentication
AUTH Command
Authentication methods:
PLAIN: Base64-encoded username/password
LOGIN: Legacy, similar to PLAIN
CRAM-MD5: Challenge-response
DIGEST-MD5: More secure challenge-response
XOAUTH2: OAuth 2.0 (Gmail, etc.)
PLAIN authentication:
Client: AUTH PLAIN
Server: 334
Client: AGFsaWNlAHNlY3JldHBhc3N3b3Jk
(Base64: \0username\0password)
Server: 235 Authentication successful
LOGIN authentication:
Client: AUTH LOGIN
Server: 334 VXNlcm5hbWU6 (Base64: Username:)
Client: YWxpY2U= (Base64: alice)
Server: 334 UGFzc3dvcmQ6 (Base64: Password:)
Client: c2VjcmV0cGFzc3dvcmQ= (Base64: secretpassword)
Server: 235 Authentication successful
Security Considerations
Plain text credentials:
Problem: AUTH PLAIN sends password in Base64
Risk: Easily decoded
Solution: Use with STARTTLS/SSL
Require encryption:
STARTTLS before AUTH
Or use port 465 (implicit SSL)
Never send credentials unencrypted
SMTP Security
STARTTLS
Purpose:
Upgrade plain connection to encrypted
Opportunistic encryption
Protects credentials and content
Process:
Client: EHLO client.example.com
Server: 250-STARTTLS
Client: STARTTLS
Server: 220 Ready to start TLS
[TLS handshake]
Client: EHLO client.example.com (again, encrypted)
Server: 250-AUTH PLAIN LOGIN
Client: AUTH PLAIN ...
Configuration (Postfix):
# /etc/postfix/main.cf
smtpd_tls_security_level = may
smtpd_tls_cert_file = /etc/ssl/certs/mail.crt
smtpd_tls_key_file = /etc/ssl/private/mail.key
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
SPF (Sender Policy Framework)
Purpose:
Prevent email spoofing
Specify authorized mail servers
DNS-based verification
SPF record:
example.com. IN TXT "v=spf1 mx ip4:203.0.113.0/24 include:_spf.google.com ~all"
Components:
v=spf1: Version
mx: MX servers authorized
ip4: Specific IP addresses
include: Include another domain's SPF
~all: Soft fail for others
SPF results:
Pass: Authorized sender
Fail: Unauthorized sender
SoftFail: Probably unauthorized
Neutral: No policy
None: No SPF record
DKIM (DomainKeys Identified Mail)
Purpose:
Email authentication
Cryptographic signature
Verify sender and integrity
How it works:
1. Sender signs email with private key
2. Signature added to email header
3. Public key published in DNS
4. Receiver verifies signature with public key
5. Confirms email not modified
DKIM signature:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=example.com; s=default;
h=from:to:subject:date;
bh=base64-body-hash;
b=base64-signature
DNS record:
default._domainkey.example.com. IN TXT "v=DKIM1; k=rsa; p=public-key"
DMARC (Domain-based Message Authentication)
Purpose:
Policy for SPF/DKIM failures
Reporting mechanism
Prevent domain spoofing
DMARC record:
_dmarc.example.com. IN TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com"
Components:
v=DMARC1: Version
p=quarantine: Policy (none, quarantine, reject)
rua: Aggregate report email
ruf: Forensic report email
pct: Percentage of messages to filter
Policies:
none: Monitor only, no action
quarantine: Mark as spam
reject: Reject email
SMTP Server Configuration
Postfix
Installation:
# Debian/Ubuntu
sudo apt install postfix
# RHEL/CentOS
sudo yum install postfix
Basic configuration (/etc/postfix/main.cf):
# Network settings
myhostname = mail.example.com
mydomain = example.com
myorigin = $mydomain
inet_interfaces = all
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
# Mail delivery
home_mailbox = Maildir/
# SMTP authentication
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
# TLS
smtpd_tls_security_level = may
smtpd_tls_cert_file = /etc/ssl/certs/mail.crt
smtpd_tls_key_file = /etc/ssl/private/mail.key
# Restrictions
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination
Port configuration (/etc/postfix/master.cf):
# Port 25 (receiving)
smtp inet n - y - - smtpd
# Port 587 (submission)
submission inet n - y - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# Port 465 (smtps)
smtps inet n - y - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
Start service:
sudo systemctl start postfix
sudo systemctl enable postfix
Testing SMTP
Telnet:
telnet mail.example.com 25
# Or OpenSSL for TLS
openssl s_client -connect mail.example.com:587 -starttls smtp
Manual SMTP session:
EHLO test.com
MAIL FROM:<test@example.com>
RCPT TO:<recipient@example.com>
DATA
From: test@example.com
To: recipient@example.com
Subject: Test
This is a test.
.
QUIT
Command line tools:
# sendmail
echo "Test email" | sendmail recipient@example.com
# mail
echo "Test email" | mail -s "Subject" recipient@example.com
# swaks (SMTP test tool)
swaks --to recipient@example.com --from sender@example.com --server mail.example.com
Email Client Configuration
Common Settings
Outgoing mail (SMTP):
Server: mail.example.com
Port: 587 (or 465)
Encryption: STARTTLS (or SSL/TLS)
Authentication: Required
Username: user@example.com
Password: ********
Popular providers:
Gmail:
SMTP: smtp.gmail.com
Port: 587 (TLS) or 465 (SSL)
Authentication: Required
App password: If 2FA enabled
Outlook/Office 365:
SMTP: smtp.office365.com
Port: 587
Encryption: STARTTLS
Authentication: Required
Yahoo:
SMTP: smtp.mail.yahoo.com
Port: 587 or 465
Encryption: STARTTLS or SSL
Authentication: Required
Troubleshooting SMTP
Connection Issues
Can't connect:
Check: Server running
Check: Firewall rules
Check: Port open (25, 587, 465)
Test: telnet mail.example.com 587
Connection timeout:
Cause: Firewall blocking
Cause: ISP blocking port 25
Solution: Use port 587
Solution: Check firewall rules
Connection refused:
Cause: Service not running
Cause: Wrong port
Check: systemctl status postfix
Check: netstat -tlnp | grep :587
Authentication Issues
Authentication failed:
Check: Username/password correct
Check: Authentication enabled
Check: STARTTLS before AUTH
Check: Account exists
Relay access denied:
Error: 554 Relay access denied
Cause: Not authenticated
Cause: Not in allowed networks
Solution: Enable authentication
Solution: Add to mynetworks
Delivery Issues
Email not delivered:
Check: MX records correct
Check: Recipient address valid
Check: Not blacklisted
Check: SPF/DKIM/DMARC configured
Review: Mail logs
Marked as spam:
Cause: Missing SPF/DKIM/DMARC
Cause: Poor sender reputation
Cause: Spam-like content
Solution: Configure authentication
Solution: Warm up IP address
Solution: Improve content
Bounce messages:
550: Mailbox not found
552: Mailbox full
554: Transaction failed
Check: Bounce message details
Log Analysis
Postfix logs:
# Debian/Ubuntu
tail -f /var/log/mail.log
# RHEL/CentOS
tail -f /var/log/maillog
# Search for specific email
grep "message-id" /var/log/mail.log
Common log entries:
# Successful delivery
status=sent (delivered to mailbox)
# Temporary failure
status=deferred (connection timed out)
# Permanent failure
status=bounced (user unknown)
# Rejected
reject: RCPT from unknown
Best Practices
Security
1. Require authentication:
Never allow open relay
Require SMTP AUTH
Use strong passwords
2. Use encryption:
STARTTLS on port 587
Or SSL/TLS on port 465
Never send credentials unencrypted
3. Implement SPF/DKIM/DMARC:
SPF: Authorize sending servers
DKIM: Sign outgoing email
DMARC: Set policy and reporting
4. Rate limiting:
Limit emails per hour
Prevent abuse
Detect compromised accounts
Deliverability
1. Proper DNS configuration:
MX records
PTR (reverse DNS)
SPF record
DKIM record
DMARC record
2. IP reputation:
Warm up new IPs
Monitor blacklists
Handle bounces
Maintain low complaint rate
3. Content best practices:
Avoid spam triggers
Include unsubscribe link
Proper HTML formatting
Text alternative
4. Monitoring:
Track delivery rates
Monitor bounces
Watch for blacklisting
Review DMARC reports
Conclusion
SMTP is the backbone of email communication, responsible for sending and relaying messages across the internet. Understanding SMTP is essential for email administrators and developers. Modern SMTP requires authentication, encryption (STARTTLS), and proper configuration of SPF, DKIM, and DMARC for security and deliverability.
Related Articles
Email Infrastructure
- Dedicated IP - Email server IPs
- IP Reputation - Email deliverability
- IP Blacklisting - Email blacklists
- Reverse DNS - PTR records for email
Protocols
- DNS Servers - MX records
- SSL/TLS - STARTTLS encryption
- TCP/IP Model - Protocol stack
- FTP - File transfer protocol
Security
- IP Spoofing - Email spoofing
- Firewall Basics - SMTP security
Explore More
- Protocols - Internet protocols hub
- Enterprise - Enterprise email
Key takeaways: - SMTP sends/relays email - Port 587 for client submission (recommended) - Port 25 for server-to-server - Port 465 for implicit SSL/TLS - Authentication required for submission - STARTTLS encrypts connection - SPF/DKIM/DMARC prevent spoofing - MX records route email - Proper configuration essential for deliverability - Monitor logs and reputation
Bottom line: Properly configured SMTP with authentication, encryption, and email authentication (SPF/DKIM/DMARC) is essential for secure and reliable email delivery. Use port 587 with STARTTLS for client submission, implement proper DNS records, and monitor your email infrastructure to maintain good deliverability and security.
