Fact-checked by Grok 2 weeks ago

Simple Mail Transfer Protocol

The Simple Mail Transfer Protocol (SMTP) is the foundational Internet standard protocol for the reliable and efficient transmission of electronic mail between message transfer agents (MTAs), such as email servers. It operates as a client-server application-layer protocol over TCP/IP, defining a text-based command-response interaction to transfer mail messages independently of the underlying transmission subsystem, requiring only a reliable ordered data stream channel. Originally specified in RFC 821 in August 1982, SMTP was updated and consolidated in RFC 2821 in April 2001 before being further clarified and revised in RFC 5321 in October 2008, which remains the current core specification as of November 2025, with an updated version (RFC 5321bis) approved for publication. In operation, an SMTP session begins with the client connecting to the server, typically on port 25 as assigned by the (IANA), and issuing an initial greeting command like HELO (for basic SMTP) or EHLO (for Extended SMTP, or ESMTP). The client then specifies the sender with the MAIL FROM command, designates recipients via RCPT TO, and transmits the using the command, concluding with a QUIT command to end the session. This push-based model enables MTAs to relay messages across networks, with servers accepting valid mail for local delivery or further forwarding, while rejecting invalid attempts through response codes. SMTP's simplicity supports its widespread use, though it assumes a trusted network environment without built-in or in its base form. To address modern security needs, SMTP has been extended via ESMTP mechanisms outlined in RFC 5321, incorporating features like STARTTLS for and protocols such as AUTH to prevent unauthorized relaying and . Additional ports, including 587 for secure message submission (as defined in RFC 6409) and 465 for message submission using implicit TLS (as defined in RFC 8314), complement port 25 for client-to-server interactions in secure environments. As the primary for transport, SMTP underpins global email infrastructure, handling approximately 376 billion messages daily as of 2025 while integrating with related standards like RFC 5322 for message formats.

History

Early Precursors

The development of electronic mail predated the Simple Mail Transfer Protocol (SMTP), evolving from local systems on individual computers to rudimentary network-based exchanges on the in the early 1970s. Prior to networked capabilities, programs like MIT's in 1965 allowed users on the same system to exchange messages stored in a shared file, but these were confined to single machines without inter-host communication. In 1971, Ray Tomlinson at Bolt, Beranek and Newman (BBN) extended this concept across the ARPANET by modifying a file-copying utility called CPYNET, derived from the File Transfer Protocol (FTP), to send the first inter-computer messages between TENEX systems. Tomlinson introduced the "@" symbol to delineate the user name from the host computer in addresses, enabling the format "user@host" that became foundational for email routing. This innovation built on ARPANET's SNDMSG program, initially designed for local messaging on PDP-10 computers, allowing messages to be appended to remote mailboxes via network file transfers. Early email relied on ad-hoc mail relays, where messages were forwarded between heterogeneous host systems using improvised scripts or manual intervention to bridge differing operating environments like TENEX and other implementations. For instance, FTP, formalized in RFC 114 in April 1971, was repurposed for "network mail" by transferring text files directly to recipients' mailbox directories on remote hosts, as later documented in RFC 469 (1973). These relays formed primitive distribution lists and supported basic forwarding, but operated without a unified addressing or delivery mechanism. Such pre-SMTP systems suffered from significant limitations, including a lack of that hindered across diverse hosts, reliance on proprietary formats tied to specific software like SNDMSG, and vulnerability to network failures without robust error handling or queuing. Message formats varied, often embedding content in unstructured text files, which complicated parsing and multi-hop transmission as the network expanded beyond a handful of nodes. To address these issues, RFC 822 was published in 1982, establishing a standardized syntax for ARPA text messages with structured headers for fields like From, To, and , facilitating broader compatibility. This format standard helped pave the way for SMTP as a dedicated transfer protocol to overcome the inefficiencies of FTP-based relays.

Standardization and Original RFC

The Simple Mail Transfer Protocol (SMTP) was formally standardized in August 1982 through RFC 821, authored by Jonathan B. Postel of the University of Southern California's Information Sciences Institute. This document established SMTP as an for the reliable and efficient transfer of electronic mail messages between hosts, independent of specific transmission subsystems. It defined a process-to-process communication standard, building briefly on earlier mail systems to create a more structured framework for internetwork mail exchange. RFC 821 introduced a client-server model, where a sender-SMTP process initiates a two-way transmission channel to a receiver-SMTP process on the destination host. Key features included support for mail relaying, allowing intermediate hosts to forward messages across networks to reach final recipients, which facilitated scalability in diverse transport environments. The protocol specified basic commands to orchestrate mail transfer, such as HELO for sender host identification, MAIL FROM to denote the message originator, RCPT TO to specify recipients, and DATA to transmit the mail content following command acknowledgments. SMTP's operation in RFC 821 distinguished between the protocol's envelope—handled via commands like MAIL FROM and RCPT TO for routing and delivery—and the message content itself. The content format was defined separately in the companion RFC 822, which standardized the syntax for ARPA Internet text messages, including headers like Date, Subject, To, Cc, and From, ensuring compatibility with SMTP's data transfer mechanism. This separation allowed SMTP to focus on transport while RFC 822 governed the structured representation of mail data.

Evolution to Modern SMTP

Following the initial standardization of SMTP in RFC 821 in 1982, the protocol underwent significant evolution to address the expanding scale and complexities of the . As email usage proliferated in the late 1980s and early 1990s, driven by the and the growth of online communities, SMTP's original design—optimized for small-scale exchanges—faced challenges in handling increased message volumes and diverse network environments. This period saw the recognition that rigid protocol constraints limited adaptability, prompting the development of mechanisms for extensibility without breaking . A pivotal advancement came in 1995 with the publication of RFC 1869, which introduced Extended SMTP (ESMTP) as a framework for enhancing the protocol. Authored by John Klensin, Ned Freed, Marshall T. Rose, Einar A. Stefferud, and Dave Crocker, this specification defined a structured approach to adding optional features through server-declared capabilities, registered with the (IANA). Central to ESMTP was the EHLO command, which replaced the basic HELO greeting to initiate sessions; upon receiving EHLO, servers respond with a 250 status code followed by a list of supported extensions, enabling clients to negotiate advanced functionalities dynamically. This design preserved the core SMTP session flow while allowing incremental improvements, ensuring that legacy systems using HELO continued to interoperate seamlessly. ESMTP's emphasis on simplicity and scrutiny of extension overheads addressed the need for a ubiquitous mail relay protocol amid rising . By the early 2000s, the explosive growth of —coupled with the surge in unsolicited bulk messages ()—further necessitated refinements to SMTP's foundational elements. emerged as a major issue in the mid-1990s, with large-scale campaigns appearing on and email lists by 1994, and by 2003, spam volume surpassed legitimate email traffic for the first time. This proliferation exploited SMTP's lack of built-in sender authentication, leading to widespread open relay abuse and as early as 1997. In response, the (IETF) updated the core specification in RFC 2821, published in April 2001 by John C. Klensin. This document obsoleted RFC 821 and RFC 974, while updating RFC 1123, consolidating prior clarifications and incorporating the ESMTP extension model more fully into the standard. Key changes included deprecating unused features like and the TURN command, mandating four-digit date formats, and enhancing error handling to better support larger-scale deployments, all while maintaining compatibility with the original commands from RFC 821 as the protocol's foundation. These revisions reflected adaptations to a maturing , where had become a primary communication medium handling billions of messages annually. The current core specification, RFC 5321, published in October 2008 and also authored by John C. Klensin, further refined SMTP by obsoleting RFC 2821 and providing updated guidance for modern environments. As a Standard on the Standards Track, it clarified operational details, improved loop detection, and aligned the protocol with support and enhanced security practices, responding to ongoing challenges like mitigation through extensible mechanisms. This update emphasized SMTP's role not only in mail transfer but also in submission for split-user-agent systems, accommodating mobile and distributed users. Since 2008, the IETF has continued iterative enhancements via working groups, such as updates in RFC 7504 (2015) for authenticated SMTP submission and ongoing efforts in the EMAILCORE group to ensure robustness against evolving threats and network scales. These developments have solidified SMTP's resilience, enabling it to transport trillions of emails yearly while incorporating defenses against abuse.

Protocol Fundamentals

Mail Processing Model

The Simple Mail Transfer Protocol (SMTP) operates on a store-and-forward model, where electronic mail messages are relayed across networks through intermediate systems until they reach their final destination. In this model, messages are submitted by originating systems, relayed by intermediate servers, and ultimately delivered to recipient mailboxes. This approach allows for reliable transmission even across heterogeneous networks, as each relay point temporarily stores the message before forwarding it to the next hop, determined via Domain Name System (DNS) mail exchanger (MX) records. Central to this process are distinct roles played by various agents. Mail Transfer Agents (MTAs) are responsible for the core transport and relaying of messages between servers, accepting incoming mail and forwarding it without altering the content, except for adding trace headers. Mail Submission Agents (MSAs) handle the initial acceptance of messages from Mail User Agents (MUAs), such as clients, validating and preparing them for entry into the SMTP network before passing them to MTAs. Mail Delivery Agents (MDAs), in contrast, manage the final handover of messages to local mailboxes or MUAs upon receipt by the destination MTA, as described for delivery systems in the SMTP specification. SMTP distinguishes between the message and the message to facilitate efficient . The consists of sender and recipient addresses (specified via commands like MAIL FROM and RCPT TO), which SMTP uses exclusively for determining the path and ensuring delivery accountability, without inspecting the . The actual message , including headers and body, is transmitted opaquely as a block and is not involved in routing decisions; this separation enables SMTP to focus solely on while leaving handling to higher-level protocols. Unlike retrieval protocols such as POP3 or IMAP, which enable end-user to stored mail, SMTP is dedicated to the transfer phase.

Core SMTP Session Flow

The core SMTP session begins with the client initiating a connection to the SMTP server, typically on port 25, after resolving the destination domain using DNS records to identify the appropriate mail exchanger host.RFC 5321, Section 5.1 The lookup involves querying the domain for mail exchanger records ordered by preference value, starting with the lowest; if no records exist, the domain itself is treated as an implicit MX with preference 0, followed by an A or record resolution to obtain the .RFC 5321, Section 5.1 Upon successful connection, the server immediately sends a 220 greeting response containing its domain name and a , signaling readiness and marking the start of the session.RFC 5321, Section 3.1 Following the greeting, the client enters the transaction phase by sending an EHLO (Extended HELO) or HELO command with its to identify itself; the server responds with a OK code, optionally listing supported extensions in the case of EHLO.RFC 5321, Section 4.1.1.1 The client then issues the MAIL FROM command specifying the sender's reverse-path address, to which the replies with if accepted, initiating the mail transaction envelope that encapsulates the sender and eventual recipients.RFC 5321, Section 4.1.1.2 Next, one or more RCPT TO commands define the recipient addresses, with the responding for acceptance or an error code if rejected, such as 550 for a permanent failure like an invalid address.RFC 5321, Section 4.1.1.3 Once recipients are confirmed, the client sends the command; the acknowledges with a 354 response prompting the message content, which the client transmits line-by-line, terminating with a single period on a line (.); the then closes the data channel and sends upon successful receipt.RFC 5321, Section 4.1.1.4 Sessions incorporate error handling through three-digit reply codes: 4xx codes indicate transient failures (e.g., 421 for service unavailable or for a temporary mailbox issue), prompting the client to retry later, while 5xx codes denote permanent errors (e.g., 550 for requested action not taken or 553 for malformed address), advising against further attempts for that transaction.RFC 5321, Section 4.2.1 Retry mechanisms for 4xx responses should employ , with an initial minimum delay of 30 minutes and persistence up to 4-5 days before abandonment, ensuring reliable delivery without overwhelming the server.RFC 5321, Section 4.5.4.1 To terminate the session, the client sends the QUIT command, to which the server replies with 221 and closes the , resetting any pending transaction state.RFC 5321, Section 4.1.1.10 If the connection closes prematurely without QUIT, the server may treat it as an implicit quit but logs the event accordingly.RFC 5321, Section 3.8

Basic Commands and Responses

The Simple Mail Transfer Protocol (SMTP) relies on a set of core commands issued by the client to the server to initiate and manage mail transactions, along with standardized response codes from the server to indicate the status of each operation. These commands form the foundation of base SMTP communication, ensuring reliable transfer of electronic mail between hosts. All commands are transmitted as lines of US-ASCII text, limited to 7-bit characters (with the high-order bit set to zero), and each command line must not exceed 512 octets, including the and line feed (CRLF) terminators. The primary commands include those for session initiation, transaction setup, message delivery, and session termination. The HELO command identifies the client to the server at the start of a session, using the syntax HELO SP domain CRLF, where domain is the of the sending ; it has no effect on buffers and can be issued at any time. The MAIL FROM command begins a new mail by specifying the sender's reverse path, with syntax MAIL FROM: SP <reverse-path> CRLF, where <reverse-path> indicates the return address for error notifications; this command must follow a successful HELO and clears any previous state. Following that, the RCPT TO command adds one or more recipients to the , using RCPT TO: SP <forward-path> CRLF, where <forward-path> specifies the delivery path for the recipient; multiple RCPT TO commands can be used for multi-recipient messages, but each requires a successful response before proceeding. To transmit the actual message content, the DATA command is employed after successful MAIL FROM and RCPT TO sequences, with syntax DATA CRLF; the server responds affirmatively, after which the client sends the message header and body lines, each up to 1000 octets long, terminated by a single line containing only a period (.) preceded and followed by CRLF (<CRLF>.<CRLF>). For session management, the RSET command resets the transaction state without affecting the overall connection, using RSET CRLF, which aborts any ongoing mail transfer and clears recipient buffers. The NOOP command performs no action but confirms the connection's viability, with syntax NOOP [SP string] CRLF, often used for keep-alives. Finally, the QUIT command terminates the SMTP session gracefully, using QUIT CRLF, after which the server closes the transmission channel. These commands collectively support the sequential flow of an SMTP session, from greeting to mail relay and logout. Server responses to these commands are three-digit numeric codes prefixed to a human-readable explanation, categorized by the first digit to denote outcome types. A 2xx code signifies successful completion, such as 250 following a valid HELO or MAIL FROM, indicating the action was accepted and the client may proceed. A 3xx code requests further action from the client, exemplified by 354 Start mail input; end with . after , signaling the server is ready for . 4xx codes indicate temporary failures that may warrant retry, like 421 4.4.2 Service not available or 450 Requested mail action not taken: mailbox unavailable, often due to transient issues such as resource limits. 5xx codes denote permanent failures, such as 550 5.1.1 User unknown or 552 5.3.4 Requested mail action aborted: exceeded storage allocation, advising against immediate retries without changes. Each response line is limited to 512 octets, and servers may provide multi-line replies by repeating the first three digits followed by a , ending with a space for the final line.
CommandSyntaxPurposeTypical Response
HELOHELO SP domain CRLFClient identification250 domain OK
MAIL FROMMAIL FROM: SP <reverse-path> CRLFStart transaction, specify sender250 2.1.0 Sender OK
RCPT TORCPT TO: SP <forward-path> CRLFAdd recipient250 2.1.5 OK
DATADATA CRLF (followed by message ended by <CRLF>.<CRLF>)Transmit message354 Start mail input; 250 2.0.0 OK
RSETRSET CRLFReset transaction250 2.0.0 OK
NOOPNOOP [SP string] CRLFNo operation, connection check250 2.0.0 OK
QUITQUIT CRLFEnd session221 2.0.0 Bye

Server and Network Aspects

Outgoing Mail Servers

Outgoing mail servers in the Simple Mail Transfer Protocol (SMTP) ecosystem primarily consist of Mail Transfer Agents (s) and Message Submission Agents (MSAs), which handle the transmission of from originating sources to destination systems. An is a program responsible for receiving and relaying mail messages between s, acting as both an SMTP client to send mail and a to accept it from other MTAs or MSAs. In contrast, an MSA serves as a submission that accepts messages directly from Mail User Agents (MUAs), such as clients, and either delivers them locally or relays them to an for further transport. These s are typically deployed at network edges, such as by Internet Service Providers (ISPs), where MSAs interface with end-user devices and MTAs manage inter-domain relaying to ensure reliable propagation across the . Configuration of outgoing mail servers involves setting up listening interfaces on designated ports, implementing message queuing for delivery retries, and leveraging (DNS) mechanisms for routing decisions. MTAs and MSAs listen for incoming connections, with MTAs commonly using port 25 for relay operations as specified in SMTP standards. MSAs, however, utilize port 587 for message submission via Extended SMTP (ESMTP), enabling secure and authenticated handoffs from user agents. Queue management is a core feature, particularly for MTAs, which store undelivered messages and implement retry schedules—typically with initial intervals of at least 30 minutes and persistence up to 4-5 days—to handle temporary failures like network issues or recipient unavailability. For routing, these servers integrate with DNS by querying Mail Exchanger (MX) records to identify the next-hop destination for a given domain, prioritizing lower-cost paths based on preference values in the records. The distinction between submission and relay servers underscores their specialized roles in outgoing mail handling. Submission servers (MSAs on 587) are designed for initial intake from authenticated users, often allowing modifications like adding missing headers (e.g., or ) to ensure compliance, and they reject malformed submissions immediately with codes. Relay servers (s on 25), by comparison, facilitate transfers between mail systems without altering content, focusing on efficient forwarding while enforcing stricter policies to prevent abuse. This separation enhances and reliability, as submission ports support user authentication and are isolated from open relaying risks inherent in traditional MTA operations.

Ports and Connectivity

The Simple Mail Transfer Protocol (SMTP) relies on specific TCP ports for establishing connections between mail transfer agents (MTAs) and for message submission from clients. The primary port for server-to-server email relay is TCP port 25, which enables the exchange of messages across the Internet as defined in the original SMTP specification. This port supports unauthenticated transfers between trusted MTAs but is frequently subject to restrictions due to its association with spam propagation. For secure message submission, typically from mail user agents (MUAs) to MTAs, TCP port 587 is designated, where authentication mechanisms are mandatory to authorize senders and prevent open relaying. TCP port 465 is designated for message submission using SMTP over implicit TLS, recommended by RFC 8314 as the long-term preferred option for secure connections, in addition to port 587 which supports STARTTLS as a transitional method. Some email service providers utilize TCP port 2525 as a non-standard alternative, particularly in environments where traditional ports are unavailable. SMTP connectivity is fundamentally TCP-based, with the client initiating a to the server's listening to open a reliable, ordered stream for command-response exchanges. Upon successful connection, the server issues a "Service ready" greeting, after which the client sends an EHLO or HELO command to begin the session; failure to receive this greeting prompts the client to terminate the connection. To manage unreliable networks, RFC 5321 imposes strict timeouts: the initial connection and greeting response must complete within 5 minutes, while commands like MAIL FROM and RCPT TO each have a 5-minute limit, DATA initiation allows 2 minutes, individual data blocks 3 minutes, and DATA termination 10 minutes. The server also enforces a 5-minute idle timeout between commands to avoid resource exhaustion. These parameters ensure efficient resource use and prevent indefinite hangs, with clients recommended to implement for retries on transient failures. Firewall and (NAT) configurations present significant challenges for SMTP traffic, often requiring careful policy design to balance security and functionality. Many Internet Service Providers (ISPs) and enterprise block outbound TCP port 25 connections from residential or dynamic IP addresses to curb spam from botnets and unauthorized relays, a practice rooted in anti-abuse recommendations. Inbound restrictions on port 25 are common to protect against external attacks, directing legitimate traffic through authenticated submission ports like 587. In NAT environments, SMTP's inclusion of IP addresses in headers (e.g., "Received:" lines) can expose private addresses, complicating traceability and routing; application-layer gateways (ALGs) are thus advised to rewrite these fields dynamically while maintaining message integrity. Such measures ensure SMTP remains viable in traversed networks without compromising end-to-end delivery. In outgoing mail server setups, these ports and considerations enable seamless integration with broader email infrastructure.

Access Restrictions and Authentication

Access to SMTP servers is often restricted based on the client's to prevent unauthorized use and reduce . allowlisting permits connections only from predefined trusted networks, typically configured in mail transfer agents (MTAs) like Postfix using the mynetworks or smtpd_client_restrictions to explicitly allow specific IP ranges or hosts before applying broader rejection policies. extends this by denying connections from IP addresses associated with certain countries, leveraging geolocation databases integrated into access controls, as implemented in systems like Email Security Appliance where sender groups can reject mail based on geographic origin. Realtime Blackhole Lists (RBLs), also known as DNSBLs, provide a collaborative mechanism where MTAs query DNS-based lists of known abusive IP addresses; for example, Postfix uses the reject_rbl_client directive in smtpd_recipient_restrictions to block clients listed in services like Spamhaus Zen, enhancing protection against sources. Starting in 2024, major email providers including , , and have implemented requirements for bulk email senders (over 5,000 emails per day) to authenticate via (SPF), (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC) to prevent spoofing and improve deliverability; non-compliance may result in rejection or spam filtering as of May 2025. Client authentication in SMTP is facilitated by the SMTP Service Extension for Authentication (SMTP-AUTH), defined in RFC 4954, which allows clients to negotiate and perform authentication using Simple Authentication and Security Layer (SASL) mechanisms during the SMTP session. Common mechanisms include PLAIN, which transmits username and password in cleartext and must be used over a secure channel like TLS (per RFC 4616), and CRAM-MD5, a challenge-response method using HMAC-MD5 for added security without sending passwords directly (per RFC 2195). The LOGIN mechanism, a non-standard plaintext variant similar to PLAIN, is widely supported for compatibility with clients like Microsoft Outlook but shares the same security requirements for encryption. As of November 2025, major providers such as Microsoft are deprecating Basic Authentication mechanisms like PLAIN and LOGIN in favor of more secure alternatives such as OAuth 2.0. SMTP-AUTH is advertised via the AUTH EHLO keyword, and the exchange occurs after the initial SMTP greeting but before message transfer, with servers rejecting unauthenticated relays to external domains. To further mitigate abuse such as denial-of-service attacks or floods, SMTP servers implement , which caps the number of connections, messages, or recipients per client or session within a time window; for instance, Microsoft Exchange enforces limits like 1200 messages per minute per source to ensure fair usage and prevent overload. complements this by temporarily rejecting mail from unknown senders with a 4xx SMTP error code, exploiting the fact that legitimate MTAs retry delivery per RFC 5321 while many spam bots do not, typically using a triplet of sender , envelope sender, and recipient for tracking (as outlined in RFC 6647). These techniques are often combined, with applied early in the SMTP dialog and exceptions for authenticated or whitelisted clients to minimize disruption.

Operational Mechanics

SMTP Transport Example

A typical SMTP example illustrates the protocol's client-server dialogue for transferring an from a sending to a receiving . This follows the core sequence defined in the Simple Mail Transfer Protocol, beginning with connection establishment and , followed by optional , envelope specification, recipient validation, data , and session termination. The example below depicts a where a client at client.example.com sends mail to multiple recipients at mail.example.com, incorporating Extended SMTP (ESMTP) via the EHLO command and optional using the AUTH extension for PLAIN mechanism over TLS (though TLS is omitted here for brevity; in practice, STARTTLS would precede AUTH). The dialogue uses the following conventions: lines prefixed with S: represent responses, C: represent client commands, and annotations explain each step, including standard three-digit response codes (e.g., for service ready, for success, 354 for data input start, 550 for permanent failure). Response codes are structured as a digit indicating the (2xx success, 3xx continue, 4xx transient failure, 5xx permanent failure), followed by a second digit for the , and a third for details. 
S: 220 mail.example.com ESMTP service ready
   # The server announces its readiness upon TCP connection on port 25 (or 587 for submission), providing the domain and ESMTP support. This initiates the session.[](https://datatracker.ietf.org/doc/html/rfc5321#section-4.3.2)

C: EHLO client.example.com
   # The client identifies itself with its domain using EHLO to request ESMTP capabilities, such as supported extensions (e.g., 8BITMIME for [binary data](/page/Binary_data)). If ESMTP is unavailable, HELO could be used instead.[](https://datatracker.ietf.org/doc/html/rfc5321#section-4.1.1)

S: 250-mail.example.com
   250-AUTH PLAIN LOGIN
   250-8BITMIME
   250-SIZE 51200000
   250 OK
   # The server lists supported extensions (AUTH for authentication mechanisms like [PLAIN](/page/The_Plain), 8BITMIME for 8-bit data, [SIZE](/page/Size) for maximum message size) and confirms the greeting. The client may now use these if needed.[](https://datatracker.ietf.org/doc/html/rfc5321#section-4.1.4)[](https://datatracker.ietf.org/doc/html/rfc4954#section-4)

C: AUTH [PLAIN](/page/The_Plain) AGVhZEBleGFtcGxlLmNvbQB3b3Jk
   # Optional: The client authenticates using the [PLAIN](/page/The_Plain) mechanism, sending base64-encoded credentials (authorization ID, authentication ID, password). This step is required for authorized submission (e.g., on port 587) to prevent open relay abuse but may be skipped for trusted inter-server transfers. If authentication fails, the server responds with 535.[](https://datatracker.ietf.org/doc/html/rfc4954#section-6)

S: 235 2.7.0 Authentication successful
   # The [server](/page/Server) confirms successful [authentication](/page/Authentication), allowing the [transaction](/page/Transaction) to proceed. Without AUTH, the client could continue directly if permitted.[](https://datatracker.ietf.org/doc/html/rfc4954#section-6)

C: MAIL FROM:<[email protected]> SIZE=1024
   # The client specifies the sender's [envelope](/page/Envelope) [address](/page/Address) (reverse path for bounces) and optional [message](/page/Message) [size](/page/Size). The SIZE parameter leverages the ESMTP extension announced earlier. If invalid, the [server](/page/Server) might reply 553 or 552 (quota exceeded).[](https://datatracker.ietf.org/doc/html/rfc5321#section-4.1.2)

S: 250 2.1.0 Sender address accepted
   # The server accepts the sender, validating it against policies (e.g., no invalid domains). This starts the mail transaction.[](https://datatracker.ietf.org/doc/html/rfc5321#section-4.1.2)

C: RCPT TO:<[email protected]>
   # The client specifies the first recipient's envelope address. Multiple RCPT commands can follow for batch delivery in one session, improving efficiency over separate connections.[](https://datatracker.ietf.org/doc/html/rfc5321#section-4.1.3)

S: 250 2.1.5 Recipient OK
   # The server accepts the recipient after local validation (e.g., [mailbox](/page/Mailbox) existence). For a single-recipient message, only one RCPT is used; multiples allow one message to multiple destinations.[](https://datatracker.ietf.org/doc/html/rfc5321#section-4.1.3)

C: RCPT TO:<[email protected]>
   # Second recipient attempt, demonstrating multi-recipient variation.

S: 550 5.1.1 Recipient2: User unknown
   # The server rejects the recipient permanently (e.g., invalid [mailbox](/page/Mailbox)), using 550 to indicate failure without halting the [transaction](/page/Transaction)—other recipients can still succeed. The client might retry later or notify the sender. In contrast, a transient error like [450](/page/450) (temporary failure) would allow retry.[](https://datatracker.ietf.org/doc/html/rfc5321#section-4.2.3)

C: RCPT TO:<[email protected]>
   # Third recipient, continuing despite the prior rejection.

S: 250 2.1.5 Recipient OK
   # Accepted, showing that rejections are per-recipient; the message proceeds to valid ones (here, recipient1 and recipient3).[](https://datatracker.ietf.org/doc/html/rfc5321#section-4.1.3)

C: [DATA](/page/Data)
   # The client requests to send the message content (headers and body per RFC 5322). No more RCPT or MAIL commands are allowed until the current [transaction](/page/Transaction) ends. If recipients were rejected entirely, the server might reply 503.[](https://datatracker.ietf.org/doc/html/rfc5321#section-4.1.4)

S: 354 Start mail input; end with <CRLF>.<CRLF>
   # The server invites data input, specifying the line-oriented format ending with a single dot (.) on its own line. The client has a timeout (typically 5-10 minutes) to complete transmission.[](https://datatracker.ietf.org/doc/html/rfc5321#section-4.1.4)

C: From: sender@client.[example.com](/page/Example.com)
   To: recipient1@[mail](/page/Mail).example.com, recipient3@[mail](/page/Mail).example.com
   Subject: Test Message
   
   This is the [body](/page/Body) of the [email](/page/Email).
   .
   # The client transmits the full [message](/page/Message): RFC 5322-compliant headers (e.g., From, To for display names; note envelope addresses differ), followed by the [body](/page/Body), ended by the dot. The rejected recipient2 is omitted from headers. [Binary data](/page/Binary_data) would use 8BITMIME if supported. If transmission fails (e.g., size limit), the server replies 552.[](https://datatracker.ietf.org/doc/html/rfc5321#section-4.1.4)

S: 250 2.6.0 [Message](/page/Message) accepted for delivery
   # The [server](/page/Server) confirms receipt and queues the [message](/page/Message) for the accepted recipients, ending the transaction. Errors here (e.g., [451](/page/451) for [resource](/page/Resource) issues) are transient.[](https://datatracker.ietf.org/doc/html/rfc5321#section-4.1.4)

C: QUIT
   # The client requests session closure, optional but recommended to free [resources](/page/Resource). Multiple transactions can occur in one session before QUIT.[](https://datatracker.ietf.org/doc/html/rfc5321#section-4.1.5)

S: 221 2.0.0 mail.example.com closing connection
   # The [server](/page/Server) closes the [TCP](/page/TCP) connection after any final processing. If the client disconnects abruptly, the [server](/page/Server) treats it as an implicit QUIT.[](https://datatracker.ietf.org/doc/html/rfc5321#section-4.1.5)
This example highlights SMTP's relay denial protection: without authentication or trusted IP, a 550 "Relay access denied" might occur after MAIL FROM if the sender or recipients are not authorized. For single-recipient cases, the flow simplifies by using one RCPT TO, reducing overhead while maintaining the same structure. In production, variations include TLS (via STARTTLS after EHLO) to secure the entire , especially for AUTH.

Message Queue Management

SMTP servers manage message queues to handle the temporary storage and processing of emails that cannot be delivered immediately, ensuring reliable transport despite transient failures. Queues typically consist of distinct structures such as the incoming queue for newly received messages awaiting initial processing, the active queue for messages currently undergoing delivery attempts, and the deferred queue for messages that have encountered temporary errors and require retries. These structures allow the server to organize mail flow efficiently, with messages moving from incoming to active upon resource availability, and to deferred on failure before reattempting. Storage methods vary by implementation; for instance, widely-used mail transfer agents (MTAs) like Postfix employ file-based storage on disk for incoming and deferred queues, while others like Microsoft Exchange utilize a database for all queue types to facilitate querying and management. Retry algorithms are essential for queue management, employing strategies to reattempt delivery without overwhelming the network or recipient servers. Per 5321, after a temporary (indicated by a 4xx SMTP response code), the server must queue the message and retry with intervals of at least 30 minutes following the initial attempt, continuing for a total period of 4 to 5 days before deeming it undeliverable. A recommended schedule includes two attempts within the first hour, followed by retries every 2 to 3 hours, often incorporating to progressively increase delays—starting from 5-10 minutes initially and extending to hours or days—to mitigate congestion. This approach balances persistence with resource efficiency, as outlined in the protocol specification. For messages that remain undeliverable after exhaustive retries, servers generate bounce messages to notify the originator of the failure. These notifications, known as Delivery Status Notifications (DSNs), are standardized in RFC 3461 as an SMTP extension, allowing specification of reporting conditions (e.g., failure or delay) via parameters in the and RCPT commands. Upon final failure (e.g., a 5xx response or timeout), the server creates a DSN report in multipart/report format, including details like the reporting , action taken, status code, and optionally the original message content or headers, sent to the envelope return path using a reverse-path to prevent loops. This mechanism ensures transparency in delivery outcomes while adhering to privacy and loop-prevention guidelines.

Delivery Mechanisms

In SMTP systems, final often occurs locally after the message has been relayed to the destination server, where a Mail Delivery Agent (MDA) processes the for storage in user mailboxes or further handling. MDAs such as receive messages from the Mail Transfer Agent (MTA) and apply filters, sort , or directly to spool files or formats, ensuring efficient local placement without network transmission. , for instance, filters incoming mail based on headers, body , or keywords before final , supporting conditional rules for forwarding or archiving. To facilitate local delivery without the queuing semantics of standard SMTP, the Local Mail Transfer Protocol (LMTP), defined in RFC 2033, serves as a variant optimized for intra-system transfers. LMTP employs ESMTP syntax but modifies the session flow: it uses LHLO for greeting, returns per-recipient responses after the DATA command terminator, and avoids server-side queuing, allowing the client (typically the ) to manage retries for individual failures. This makes LMTP ideal for delivering messages from an to multiple local MDAs or storage backends on the same host, such as in scenarios involving shared mailboxes or gateways, where immediate status feedback per recipient enhances efficiency over SMTP's store-and-forward model. For remote delivery, SMTP relies on relay servers that forward messages across networks using MX records from the (DNS) to determine the next hop, with preferences guiding the order of attempts. In cases of intermittent connectivity or dynamic IP addresses, such as with mobile or dial-up systems, the On-Demand Mail Relay (ODMR) protocol provides a pull-based alternative, as specified in 2645. ODMR operates as a restricted SMTP profile on port 366, beginning with standard EHLO and AUTH commands for client authentication via SASL mechanisms like CRAM-MD5, followed by the ATRN command to request queued mail for specific domains, which reverses roles and initiates transfer. This enables recipients to retrieve accumulated mail on demand, with sessions supporting timeouts of at least 10 minutes to accommodate variable connection times. SMTP routing incorporates mechanisms for aliases, mailing lists, and domains to expand or redirect addresses during envelope processing, ensuring accurate final delivery. Aliases replace a pseudo-mailbox (e.g., a local name) with one or more real recipient addresses in the RCPT stage, preserving the original message body while updating the for delivery. For mailing lists, the process similarly expands the recipient list but modifies the return path to a list administrator's address, allowing notifications for undeliverable messages to route appropriately without exposing full membership. domains are handled through DNS records, which map domain names to hosting servers; multiple records with preference values enable load balancing or , treating the domain as a logical entity independent of physical hosts. CNAME records further support aliasing at the domain level, recursively resolving to canonical names before queries. Queuing precedes these mechanisms as an interim step, buffering messages for routing attempts.

Extensions and Enhancements

ESMTP Discovery Mechanism

The Extended Simple Mail Transfer Protocol (ESMTP) discovery mechanism enables clients to identify and negotiate optional extensions supported by an SMTP server, enhancing the basic protocol's capabilities without breaking compatibility. This process begins when an SMTP client issues the EHLO command, which stands for "Extended HELO," followed by the client's or an address literal, such as EHLO [example.com](/page/Example.com). Unlike the basic HELO command, which serves as a non-extended baseline for session initialization, EHLO prompts the server to advertise its supported extensions in the response. Upon receiving the EHLO command, a compliant ESMTP must respond with a multi-line 250 status code, where the initial lines begin with "250-" followed by keywords indicating supported extensions, and the final line starts with "250 " to signify completion. Each extension keyword may be accompanied by parameters that specify further details or options, such as 250-AUTH [PLAIN](/page/The_Plain) [LOGIN](/page/Login) to indicate support for the AUTH extension with PLAIN and LOGIN mechanisms, or 250-8BIT[MIME](/page/MIME) to signal handling of 8-bit MIME content. Servers are required to advertise all non-private extensions in this manner, ensuring that only registered extensions—those defined in IETF Standards-Track or Experimental documents and listed with IANA—are included, prefixed without an "X-" unless experimental. The order of these parameters and extensions in the response lines is not mandated by the specification, allowing servers flexibility in presentation while maintaining parseability. If a server does not support ESMTP and rejects the EHLO command—typically with a 502 response—the client must fall back to the basic HELO command to initiate a standard SMTP session, as all servers are required to support HELO for . Clients encountering unknown or unrecognized extensions in the 250 response should ignore them and proceed only with those they understand and require, preventing errors from unsupported features. This ensures robust , as servers must not offer capabilities they cannot fulfill and clients must not attempt parameters beyond those explicitly advertised.

Data Transfer and Format Extensions

The Simple Mail Transfer Protocol (SMTP) originally supported only 7-bit ASCII text, necessitating encodings like or for non-ASCII content, which increased message size and processing overhead. To address these limitations, several extensions enhance data transfer and format capabilities, allowing more efficient handling of , 8-bit, and large messages while preserving . These extensions are advertised by servers in response to the EHLO command, enabling clients to negotiate their use during the SMTP session. The 8BITMIME extension, specified in RFC 6152, permits the direct transmission of 8-bit MIME messages containing octets beyond the US-ASCII range (hex 00-7F), supporting arbitrary octet-aligned content without mandatory 7-bit conversion. Clients indicate support by including the BODY parameter with the value "8BITMIME" in the extended MAIL command after the server advertises the "8BITMIME" keyword in its EHLO response, which has no parameters. Receiving servers must preserve all bits in the octets during relay, including the 8th bit, and adhere to the maximum line length of 1000 octets (including the <CR><LF>), as specified in the base SMTP protocol. Clients are required to avoid sending 8-bit content to non-supporting servers and may fall back to 7-bit MIME encoding if necessary, but this extension does not accommodate binary content-transfer-encodings like those in MIME. For handling large and binary MIME messages more efficiently, the BINARYMIME extension, outlined in RFC 3030, introduces chunked binary transfer to eliminate the overhead of textual encodings. It relies on the companion CHUNKING extension, advertised via the "CHUNKING" EHLO keyword, and is signaled by the "BINARYMIME" keyword, which requires CHUNKING for operation. Instead of the traditional DATA command, clients use the BDAT command to send data in specified chunks: each BDAT includes a required chunk-size argument in octets (e.g., BDAT 100000) followed immediately by the data, with the receiver acknowledging exactly that amount via a 250 response; the final chunk is marked with the optional "LAST" parameter (e.g., BDAT 0 LAST). The MAIL command may include a BODY=BINARYMIME parameter, and receivers must preserve all octet bits while enforcing canonical line endings for text parts. BINARYMIME is incompatible with the standard DATA command in the same transaction but can integrate with PIPELINING for improved performance; senders must convert unsupported binary data to 8-bit or 7-bit forms without loss if the extension is unavailable. The extension, defined in RFC 1870, allows clients to declare the size of a message in advance, enabling servers to reject oversized messages early and optimize resource allocation during sessions. Servers advertise support via the "SIZE" EHLO keyword, optionally followed by a indicating their maximum accepted message size in bytes as a number (e.g., SIZE=); a value of or omission signifies no fixed limit. Clients then include a "SIZE=value" in the MAIL FROM command, where value is the estimated total octets including pairs but excluding the DATA-terminating dot-stuffing. If the declared size exceeds the server's limit, it responds with a 552 error for permanent failure or 452 for temporary issues like insufficient resources, potentially at the RCPT stage on a per-recipient basis. Servers may accept messages larger than declared if resources permit, and clients should provide accurate estimates to avoid unnecessary rejections.

Internationalization and Relay Extensions

The Email Address Internationalization (EAI) framework, defined in RFC 6530, provides a comprehensive set of specifications to enable the use of internationalized email addresses containing non-ASCII characters, addressing the limitations of traditional ASCII-only email systems. This framework replaces earlier efforts like RFC 4952 and relies on encoding to support characters in email addresses, headers, and related protocols. Key components include the SMTPUTF8 extension for message transfer, UTF-8-based header formatting, and support for internationalized Delivery Status Notifications (DSNs), ensuring end-to-end handling of non-ASCII content without intermediate downgrading. Implementation requires systems to support the 8BITMIME extension (RFC 6152) for transmission, and domain names must conform to Internationalizing Domain Names in Applications (IDNA) standards (RFC 5890) using A-labels or U-labels. The SMTPUTF8 extension, specified in RFC 6531, extends the Simple Mail Transfer Protocol (SMTP) to permit strings in addresses, headers, and the message body, facilitating global email interoperability. Servers advertise support for this extension by including the "SMTPUTF8" keyword in their EHLO response without parameters, signaling to clients that non-ASCII content can be used. In the MAIL and RCPT commands, internationalized addresses follow an extended syntax from RFC 5321, where local parts and domain names may include characters, with domains resolved via IDNA-compliant DNS lookups using A-labels. Clients must specify the SMTPUTF8 parameter in the command if using , and servers are required to reject messages with non-ASCII content if they lack support, using enhanced SMTP error codes such as 5.6.7 for invalid syntax or 5.6.9 for permanent failures related to . This extension mandates 8BITMIME support to handle the full range of octets, preventing during transit, though it introduces risks of rejection if downstream servers do not support it, emphasizing the need for gateway downgrading only at message endpoints. On-Demand Mail Relay (ODMR), outlined in RFC 2645, introduces a pull-based mechanism for authenticated email retrieval, contrasting with SMTP's traditional push model and aiding environments with dynamic IP addresses, such as mobile or dial-up systems. Operating on port 366, ODMR reverses client-server roles after authentication: the client initiates an ODMR session, authenticates using SASL mechanisms like CRAM-MD5 (RFC 2195), and then requests queued mail via the ATRN command, specifying one or more domains in the syntax ATRN [SP domain *("," domain)]. Authentication is mandatory before any mail transfer, ensuring secure access, and the server responds with queued messages or errors like 453 (no mail available) or 451 (temporary processing issue). Commands such as EXPN and VRFY are explicitly not supported, returning 502 errors to maintain focus on relay functions, while providers must implement timeouts of at least 10 minutes for ATRN requests to accommodate variable connection speeds. This protocol enhances relay flexibility by allowing on-demand pulls, but it requires firewall accommodations for port 366 and careful queue management on the provider side.

Security Considerations

TLS and Encryption Methods

The Simple Mail Transfer Protocol (SMTP) originally operated over unencrypted connections, exposing email transmissions to and tampering. To address these vulnerabilities, the STARTTLS extension was introduced to enable by upgrading an existing plain SMTP session to (TLS). Defined in 3207, STARTTLS operates as an SMTP service extension advertised via the EHLO command with the keyword "STARTTLS" and no parameters. Upon receiving the STARTTLS command from a client, a compliant responds with a status code indicating readiness for TLS negotiation; the client then initiates the TLS , after which the SMTP session resets to its initial state, requiring a new EHLO to resume operations. This mechanism ensures that TLS is applied at the without altering the core SMTP protocol, though it introduces risks such as man-in-the-middle attacks if the initial plain-text exchange is intercepted before the upgrade. STARTTLS supports two primary modes of operation: opportunistic and mandatory. In opportunistic mode, clients attempt to initiate TLS but proceed with unencrypted transmission if the server does not support or advertise the extension, providing a balance between security and compatibility for inter-domain email relay. Mandatory mode, conversely, requires TLS for the session; servers may reject connections with a 530 error if STARTTLS is not issued, though publicly referenced SMTP servers on port 25 must not enforce this for local mail delivery to avoid disrupting standard operations. Certificate validation in both modes traditionally relies on (PKI) with issued by trusted (CAs), where clients verify the server's identity against the hostname in the 's subject or subject alternative name fields. An alternative validation method, (DANE), uses DNSSEC-secured TLSA resource records published under the subdomain _25._tcp.<domain> to specify acceptable server or public keys, enabling validation independent of CAs. DANE records support usages such as DANE-EE(3) for direct end-entity matching or DANE-TA(2) for validation, and in contexts, clients fall back to unauthenticated encryption or cleartext if no valid TLSA records are found. As a legacy alternative to STARTTLS, SMTPS employs implicit TLS, where the connection begins with TLS negotiation immediately upon TCP establishment, without an initial plain-text phase. Historically registered for SMTP over SSL in 1997 but deprecated and reassigned by the (IANA) in 1998 due to lack of standardization, port 465 for saw widespread de facto adoption for secure message submission despite the revocation. RFC 8314 later formalized its use on port 465 as a recommended implicit TLS option alongside STARTTLS on port 587, citing improved resistance to downgrade attacks, though both require certificate validation per established TLS practices. While considered deprecated in favor of explicit STARTTLS methods in earlier guidance, remains in use for legacy systems and transitional deployments to phase out cleartext email submission.

Authentication and Reporting Extensions

The Simple Mail Transfer Protocol (SMTP) has been extended to include mechanisms for client-server and of security-related events, enhancing beyond basic transport encryption. These extensions, introduced through specific RFCs, allow for identity during SMTP sessions and systematic notification of TLS failures, helping operators detect and mitigate issues such as misconfigurations or attacks. While STARTTLS provides the foundational for these features, the authentication and reporting extensions focus on verifying participants and logging anomalies post-negotiation. SMTP-AUTH, defined in RFC 4954, enables SMTP clients to authenticate to servers using the (SASL), allowing for the negotiation of a protected SMTP session. This extension is advertised by servers in response to the EHLO command via the "AUTH" keyword, followed by a space-separated list of supported SASL mechanisms, such as , , CRAM-MD5, DIGEST-MD5, or GSSAPI. Upon receiving the AUTH command from a client specifying a mechanism (e.g., AUTH ), the server responds with a continuation code (334), prompting the client to send credentials in the SASL exchange; successful authentication results in a 235 response code. Servers must support the AUTH parameter in the MAIL FROM command to associate an authenticated with the sender's identity, even if no prior client authentication occurred. For security, plaintext mechanisms like require TLS protection to prevent eavesdropping, and clients are mandated to verify server certificates when using such mechanisms over TLS. RFC 4954 obsoletes the earlier RFC 2554 and emphasizes interoperability, requiring implementations to support over TLS and optionally CRAM-MD5. MTA-STS, outlined in RFC 8461, provides a framework for mail service providers to declare and enforce strict (TLS) requirements for incoming SMTP connections, mitigating risks from opportunistic STARTTLS downgrades or interceptions. Domains publish an MTA-STS policy indicator via a DNS at the subdomain "_mta-sts.", which includes a version tag ("v=STSv1") and a unique policy identifier ("id"), such as "_mta-sts.example.com. IN TXT "v=STSv1; id=20160831085700Z;"". Sending mail transfer agents (MTAs) query this record to discover the policy, then retrieve the full policy document over from "https://mta-sts./.well-known/mta-sts.txt", which specifies the mode (enforce, testing, or none), maximum age in seconds (up to 31,557,600), and permitted MX host patterns. In "enforce" mode, sending MTAs must refuse delivery if TLS negotiation fails—such as when STARTTLS is unsupported or the certificate is invalid according to PKIX validation—ensuring all connections use authenticated TLS. The "testing" mode allows delivery while generating reports of failures, and "none" disables the policy. This mechanism does not require DNSSEC but relies on for policy confidentiality and authenticity, with DNSSEC providing optional protection for the TXT record against . SMTP TLS Reporting, specified in RFC 8460, establishes a standardized method for sending MTAs to report aggregate statistics on TLS outcomes to recipient , aiding in the identification of issues without exposing sensitive per-message details. advertise reporting endpoints via a DNS at "_smtp._tls.<->", containing "v=TLSRPTv1" and one or more "rua=" URIs (: or :) for report submission, such as "_smtp._tls.example.com. IN "v=TLSRPTv1; rua=:[email protected]"". Reports are generated periodically (e.g., daily) and formatted as I-JSON objects, including like the reporting organization's , contact information, report date range, and details (e.g., MTA-STS or enforcement). The core of each report is an array of aggregate counts for TLS sessions to specific MX hosts, categorized by outcome types such as "success" (valid TLS established), "starttls-not-supported", "certificate-expired", or "validation-failed", with optional additional-information URIs for diagnostics. Reports distinguish between (typically the recipient ) and MX , supporting multiple policies per and focusing on failures from , DNS , STARTTLS , or validation to enable proactive issue .

Anti-Spoofing and Spam Mitigation

One of the primary vulnerabilities in the Simple Mail Transfer Protocol (SMTP) is the ability to forge the sender's address in the MAIL FROM command, allowing unauthorized parties to impersonate legitimate domains without . This lack of inherent in SMTP enables , where malicious actors can inject deceptive messages into the system. The rise of unsolicited bulk email, or , exploiting these weaknesses became prominent in the 1990s, with the first widespread commercial spam campaigns emerging around 1994 and escalating into an epidemic by the late decade, overwhelming email infrastructure and eroding user trust. To counter sender spoofing, several domain-based authentication mechanisms have been developed as SMTP extensions. The , defined in 7208, allows domain administrators to publish DNS records specifying authorized IP addresses or hosts permitted to send on behalf of their domain, enabling receiving servers to validate the 's envelope against these policies. (DKIM), outlined in 6376, addresses by using to sign emails, permitting recipients to verify that the content and headers have not been altered in transit and originate from an authorized signer within the domain. Building on SPF and DKIM, Domain-based Message Authentication, Reporting, and Conformance (DMARC), specified in 7489, provides a framework for domain owners to set policies on handling messages that fail authentication checks, along with reporting tools to monitor abuse and refine protections. These methods collectively reduce spoofing by establishing verifiable claims about and , often integrated as complementary to extensions. In addition to protocol-level mitigations, server-side filtering techniques play a crucial role in spam detection and prevention within SMTP environments. Content scanning examines email bodies, headers, and attachments for patterns indicative of spam, such as suspicious keywords, URLs, or signatures, often using heuristic rules or models to assign risk scores. Bayesian analysis enhances this by applying : it trains on labeled datasets of legitimate and spam messages to compute the likelihood of new emails being unsolicited based on word frequencies and contextual features, achieving high accuracy in adaptive filtering. Relay restrictions further limit abuse by configuring SMTP servers to reject from unauthorized sources or prevent open relaying, where external senders could use the server as an intermediary for bulk distribution, a common vector for in early SMTP deployments.

Implementations and Usage

Open-Source Implementations

Postfix, first released in 1998 by Wietse Venema while at , is a modular mail transfer agent (MTA) designed as a secure and efficient alternative to earlier systems like . Its architecture emphasizes queue management through separate processes for incoming SMTP connections, message queuing, and delivery, reducing the risk of vulnerabilities from long-running daemons. Postfix includes built-in anti-spam features such as sender restrictions, recipient verification, and integration with external filters, while maintaining full compliance with SMTP standards defined in RFC 5321. Exim, initially developed in 1995 by at the Computing Service as a replacement for Smail 3, is a highly configurable tailored for systems. Its single-configuration-file approach enables scriptable logic for complex routing decisions, including policy-based controls via access control lists (ACLs) introduced in version 4. Exim supports advanced features like virtual domains, content scanning, and per-host retry mechanisms, allowing administrators to implement custom delivery rules without recompiling the software. Like other open-source s, it adheres to core SMTP protocols for reliable message transfer. Sendmail, the original open-source authored by in 1981 at the , under a contract, laid the foundation for SMTP-based email routing on Unix systems. Initially focused on internetwork mail delivery across diverse transport protocols, it has evolved with modern extensions in its open-source releases, such as support for TLS encryption and integration with OpenDKIM for domain authentication per RFC 4871. Current versions, like 8.18.1, retain backward compatibility while adding features for large-scale environments, including queue prioritization and aliasing. For lightweight client-side use, tools like sSMTP provide a simple send-only interface to forward messages to an SMTP server without full MTA overhead.

Commercial and Enterprise Solutions

provides an integrated SMTP solution for enterprise email environments, enabling seamless mail transfer within on-premises deployments and through Exchange Online in Microsoft 365. Exchange Online utilizes SMTP protocols for outbound email submission, supporting methods such as client SMTP submission over port 587 with TLS encryption and authentication, which integrates directly with clients to handle sending limits of up to 10,000 recipients per day. Hosted on infrastructure, it offers scalable relay options via inbound connectors for higher-volume scenarios, ensuring compliance with enterprise requirements like , DKIM, and authentication to prevent spoofing. The Cisco Secure Email Gateway (ESA), formerly known as IronPort Email Security Appliance, serves as a proprietary SMTP gateway appliance focused on inbound and outbound email relay with advanced filtering capabilities for enterprise networks. In outbound relay mode, the ESA functions as a dedicated Mail Transfer Agent (MTA), handling high-volume SMTP traffic while supporting configurations for relay hosts to route emails through specified external servers, enhancing delivery reliability in large-scale deployments. Its gateway filtering integrates anti-spam, anti-virus, and content scanning to inspect SMTP streams before relay, providing enterprise-grade protection against threats without disrupting mail flow. Proofpoint offers Secure Email Relay (SER), a cloud-based SMTP proxy service designed for enterprise application email, ensuring secure relay from approved sources to mitigate risks like domain spoofing and unauthorized sending. This solution proxies SMTP traffic by applying DKIM signing for DMARC compliance, scanning for malware and sensitive data via data loss prevention (DLP), and enforcing authenticated relay to block impersonation attempts in hybrid or cloud environments. Similarly, Mimecast's Secure Email Gateway provides a cloud-native SMTP proxy that intercepts and filters inbound/outbound email flows, leveraging AI-driven detection, as 91% of cyber attacks start with email, while supporting compliance through customizable policies and integrations with Microsoft 365. These enterprise solutions often incorporate ESMTP extensions for enhanced security features like STARTTLS and authentication.

Historical and Legacy Systems

Sendmail emerged as the dominant mail transfer agent () in the early 1980s, implementing SMTP as early as November 1981 and influencing its standardization in RFC 821 the following year. Developed by at UC , it was distributed with BSD Unix releases starting in 1983, rapidly becoming the standard for routing email across the nascent and early , where it handled messages between diverse networks with varying addressing schemes. Its configurability via the m4 macro language allowed adaptation to complex environments, solidifying its prevalence on Unix systems and beyond. However, Sendmail's early designs prioritized functionality over security, often running with root privileges and exposing vulnerabilities like the debug mode in versions prior to 5.61. This flaw was infamously exploited by the on November 2, 1988, which used the debug mode to execute arbitrary commands on infected systems, contributing to the worm's spread across approximately 6,000 Unix machines—about 10% of the at the time. The incident, analyzed in detail by Eugene Spafford, underscored Sendmail's security shortcomings and prompted widespread patches and a shift toward more secure practices in MTA development. To address ongoing extensibility needs while enhancing security, introduced the Mail Filter (Milter) in version 8.10 around 1998, with full official support in version 8.12 released in September 2001. This architecture allows third-party filters to intercept and modify messages during SMTP processing in separate, non-root processes, enabling safer integration of features like antivirus scanning and detection without altering 's core. Many legacy deployments migrated to this model to mitigate vulnerabilities while retaining compatibility with older configurations. In response to Sendmail's security issues, Daniel J. Bernstein developed qmail starting in December 1995 as a secure alternative MTA, emphasizing principles like avoiding setuid programs, minimizing root operations, and modular design to prevent common exploits. qmail included a security guarantee offering a $500 reward for verifiable holes since March 1997, with no successful claims, establishing its reputation for robustness in handling high-volume email without the vulnerabilities seen in contemporaries. However, Bernstein ceased active maintenance after version 1.03 in 1998, leaving qmail unmaintained by its author amid disputes over licensing and patches. Community efforts filled this gap, with netqmail emerging as a key in 2002, incorporating fixes, enhancements like better , and improvements from -1.03, though its last official release was in 2007. Subsequent forks, such as notqmail launched in 2019, continue this lineage with collaborative updates for modern environments, but original and early forks remain in use on legacy systems due to their proven reliability. By 2025, legacy SMTP systems like older and installations face significant challenges in with modern extensions, particularly SMTPUTF8 defined in RFC 6531 (2012), which enables encoding for internationalized addresses and headers. These systems, lacking native SMTPUTF8 support, often reject messages containing non-ASCII characters in domains or local parts, returning errors like 550 or 553, as they rely on 7-bit ASCII transport per original SMTP specifications. efforts are complicated by the need to preserve with vast archives of ASCII-only mail, while global growth—exceeding 376 billion messages daily as of 2025—demands support for multilingual content, forcing administrators to deploy gateways or upgrades to avoid delivery failures.

References

  1. [1]
    RFC 5321 - Simple Mail Transfer Protocol - IETF Datatracker
    This document is a specification of the basic protocol for Internet electronic mail transport. It consolidates, updates, and clarifies several previous ...
  2. [2]
    RFC 821: Simple Mail Transfer Protocol
    Network Working Group J. · RFC 821 August 1982 Simple Mail Transfer Protocol two host are connected to the same transport service, or via one or more relay SMTP- ...
  3. [3]
    RFC 2821 - Simple Mail Transfer Protocol - IETF Datatracker
    This document is a self-contained specification of the basic protocol for the Internet electronic mail transport.
  4. [4]
    Information on RFC 5321 - » RFC Editor
    This document is a specification of the basic protocol for Internet electronic mail transport. It consolidates, updates, and clarifies several previous ...<|control11|><|separator|>
  5. [5]
    smtp - Service Name and Transport Protocol Port Number Registry
    Oct 16, 2025 · ... port numbers are described in [RFC6335]. Assigned ports both System and User ports SHOULD NOT be used without or prior to IANA registration.
  6. [6]
    Service Name and Transport Protocol Port Number Registry
    Oct 22, 2025 · Port numbers are assigned in various ways, based on three ranges: System Ports ... User Ports are assigned by IANA using the "IETF Review" process ...
  7. [7]
    Simple Mail Transfer Protocol (SMTP) - Glossary | CSRC
    An MTA protocol defined by IETF RFC 2821. SMTP is the most commonly used MTA protocol. Sources: NIST SP 800-45 Version 2 the primary protocol used to transfer ...
  8. [8]
    [PDF] Oral History of Raymond (Ray) Tomlinson
    Jun 5, 2009 · Email got its first exposure as part of a distribution of TENEX , probably in January of '72, or thereabouts. Hendrie: How did TENEX spread to ...
  9. [9]
    The Origins of E-mail - Stanford Computer Science
    Sep 17, 1999 · Even before the development of ARPANET, computer scientists at MIT had developed a program called MAILBOX that allowed for the exchange of ...Missing: relays limitations
  10. [10]
    RFC 114: File Transfer Protocol
    This paper is a "first cut" at a protocol that will allow users at any host on the network to use the file system of every cooperating host.Missing: mail ARPANET
  11. [11]
    RFC 822 - STANDARD FOR THE FORMAT OF ARPA INTERNET ...
    This standard specifies a syntax for text messages that are sent among computer users, within the framework of electronic mail.
  12. [12]
    RFC 821 - Simple Mail Transfer Protocol - IETF Datatracker
    The objective of Simple Mail Transfer Protocol (SMTP) is to transfer mail reliably and efficiently. SMTP is independent of the particular transmission ...
  13. [13]
    RFC 2821 - Simple Mail Transfer Protocol - IETF Datatracker
    Simple Mail Transfer Protocol RFC 2821 ; RFC - Proposed Standard (April 2001) Errata. Obsoleted by RFC 5321. Updated by RFC 5336. Obsoletes RFC 1869, RFC 821, ...Missing: evolution | Show results with:evolution
  14. [14]
    RFC 1869: SMTP Service Extensions
    **Publication Details:**
  15. [15]
    [PDF] The History of Spam | Internet Society
    First email spam was in 1978. "Spamming" started as a prank in 1988. The term "spam" was first used in 1993. Spam exceeded legitimate email in 2003.<|control11|><|separator|>
  16. [16]
    https://datatracker.ietf.org/doc/rfc2821/
  17. [17]
    RFC 5321: Simple Mail Transfer Protocol
    Summary of each segment:
  18. [18]
    https://www.internetsociety.org/wp-content/uploads/2017/08/History20of20Spam.pdf
  19. [19]
    https://datatracker.ietf.org/doc/rfc821/
  20. [20]
    https://datatracker.ietf.org/doc/rfc5321/
  21. [21]
    https://datatracker.ietf.org/doc/rfc7504/
  22. [22]
    https://datatracker.ietf.org/doc/html/rfc5321#section-3.6
  23. [23]
    https://datatracker.ietf.org/doc/html/rfc6409
  24. [24]
    https://datatracker.ietf.org/doc/html/rfc5321#section-2.3.10
  25. [25]
    https://datatracker.ietf.org/doc/html/rfc5321#section-3.3
  26. [26]
    https://datatracker.ietf.org/doc/html/rfc5321#section-2.3.1
  27. [27]
    https://datatracker.ietf.org/doc/html/rfc5321#section-2.3.7
  28. [28]
    https://datatracker.ietf.org/doc/html/rfc5321#section-4.5.3.1.6
  29. [29]
    https://datatracker.ietf.org/doc/html/rfc5321#section-4.1.1.1
  30. [30]
    https://datatracker.ietf.org/doc/html/rfc5321#section-4.1.1.2
  31. [31]
    https://datatracker.ietf.org/doc/html/rfc5321#section-4.1.1.3
  32. [32]
    https://datatracker.ietf.org/doc/html/rfc5321#section-4.1.1.4
  33. [33]
    https://datatracker.ietf.org/doc/html/rfc5321#section-4.1.1.5
  34. [34]
    https://datatracker.ietf.org/doc/html/rfc5321#section-4.1.1.9
  35. [35]
    https://datatracker.ietf.org/doc/html/rfc5321#section-4.1.1.10
  36. [36]
    https://datatracker.ietf.org/doc/html/rfc5321#section-4.2.1
  37. [37]
    https://datatracker.ietf.org/doc/html/rfc5321#section-4.2.2
  38. [38]
    RFC 5321: Simple Mail Transfer Protocol
    Summary of each segment:
  39. [39]
    RFC 6409: Message Submission for Mail
    An MTA acts as an SMTP server to accept messages from an MSA or another MTA, and it either delivers them or acts as an SMTP client to relay them to another MTA.
  40. [40]
    RFC 6409: Message Submission for Mail
    ### Summary of Port 587 for SMTP Submission (RFC 6409)
  41. [41]
    RFC 8314: Cleartext Considered Obsolete: Use of Transport Layer Security (TLS) for Email Submission and Access
    ### Summary of SMTP Ports in RFC 8314
  42. [42]
    What SMTP port should be used? Port 25, 587, or 465? - Cloudflare
    Although port 465 is the recommended port for secure SMTP email transmission, some systems sometimes rely on ports 25, 587, or 2525.
  43. [43]
    https://www.rfc-editor.org/rfc/rfc6409.html
  44. [44]
    RFC 3639 - Considerations on the use of a Service Identifier in ...
    For example, some service providers are blocking port 25 (i.e., notionally SMTP) traffic for the stated purpose of trying to prevent SPAM, but which can also ...
  45. [45]
    RFC 3027: Protocol Complications with the IP Network Address ...
    The purpose of this document is to identify the protocols and applications that break with NAT enroute. The document also attempts to identify any known ...
  46. [46]
    Postfix SMTP relay and access control
    Getting selective with SMTP access restriction lists​​ Postfix allows you to specify lists of access restrictions for each stage of the SMTP conversation. ...Missing: RBL | Show results with:RBL
  47. [47]
    How do I blacklist and reject an email server based on geolocation?
    Sep 29, 2017 · This document describes how to blacklist and reject an email server based on the geolocation using Sender Group on the Email Security Appliance (ESA)
  48. [48]
    RFC 4954 - SMTP Service Extension for Authentication
    This document defines a Simple Mail Transport Protocol (SMTP) extension whereby an SMTP client may indicate an authentication mechanism to the server.Missing: evolution | Show results with:evolution
  49. [49]
    RFC 4616 - The PLAIN Simple Authentication and Security Layer ...
    This document defines a simple clear-text user/password Simple Authentication and Security Layer (SASL) mechanism called the PLAIN mechanism.<|separator|>
  50. [50]
    Authentication (SASL) Mechanisms — Dovecot documentation
    The simplest authentication mechanism is PLAIN. The client simply sends the password unencrypted to Dovecot. All clients support the PLAIN mechanism.
  51. [51]
    Message rate limits and throttling | Microsoft Learn
    Apr 30, 2025 · Summary: Learn how message rate limits affect mail flow and connections in Exchange Server 2016 and Exchange Server 2019.
  52. [52]
    RFC 6647 - Email Greylisting: An Applicability Statement for SMTP
    This document describes the art of email greylisting, the practice of providing temporarily degraded service to unknown email clients as an anti-abuse ...
  53. [53]
    https://datatracker.ietf.org/doc/html/rfc4616
  54. [54]
    https://techcommunity.microsoft.com/t5/exchange-team-blog/exchange-online-to-retire-basic-auth-for-client-submission-smtp/ba-p/4114750
  55. [55]
    https://learn.microsoft.com/en-us/exchange/mail-flow/message-rate-limits
  56. [56]
    https://datatracker.ietf.org/doc/html/rfc6647
  57. [57]
    https://datatracker.ietf.org/doc/html/rfc5321#appendix-D.1
  58. [58]
    https://datatracker.ietf.org/doc/html/rfc5321#section-5
  59. [59]
    https://www.postfix.org/QSHAPE_README.html
  60. [60]
    https://learn.microsoft.com/en-us/exchange/mail-flow/queues/queues
  61. [61]
    https://datatracker.ietf.org/doc/html/rfc5321#section-4.5.4.1
  62. [62]
    Postfix Bottleneck Analysis
    Input into the "active" queue comes both from new mail in the "incoming" queue, and retries of mail in the "deferred" queue. Should the "deferred" queue get ...
  63. [63]
    Queues and messages in queues in Exchange Server
    Apr 30, 2025 · Queue database files. All the different queues are stored in a single ESE database. By default, this queue database is located on the transport ...
  64. [64]
    https://datatracker.ietf.org/doc/html/rfc2033
  65. [65]
    RFC 3461 - Simple Mail Transfer Protocol (SMTP) Service Extension ...
    RFC 3461 extends SMTP to allow clients to specify when Delivery Status Notifications (DSNs) are generated, and what information is returned.
  66. [66]
    19.4. Mail Delivery Agents | Red Hat Enterprise Linux | 6
    Procmail delivers and filters email as it is placed in the mail spool file of the localhost. It is powerful, gentle on system resources, and widely used.
  67. [67]
    RFC 2033 - Local Mail Transfer Protocol - IETF Datatracker
    RFC 2033 describes the LMTP protocol for transporting mail in systems where the receiver does not manage a queue, using ESMTP syntax.
  68. [68]
    RFC 2645 - on-demand mail relay (odmr) - IETF Datatracker
    RFC 2645. Proposed Standard. Title, ON-DEMAND MAIL RELAY (ODMR) SMTP with Dynamic IP Addresses. Document, Document type, RFC - Proposed Standard August 1999
  69. [69]
    https://datatracker.ietf.org/doc/html/rfc5321#section-4.2.5
  70. [70]
    https://datatracker.ietf.org/doc/html/rfc5321#section-2.2.2
  71. [71]
    RFC 974: Mail routing and the domain system
    This RFC presents a description of how mail systems on the Internet are expected to route messages based on information from the domain system described in ...
  72. [72]
    https://datatracker.ietf.org/doc/html/rfc6152
  73. [73]
    https://datatracker.ietf.org/doc/html/rfc3030
  74. [74]
    https://datatracker.ietf.org/doc/html/rfc1870
  75. [75]
    RFC 6152: SMTP Service Extension for 8-bit MIME Transport
    ### Summary of RFC 6152: SMTP Service Extension for 8-bit MIME Transport
  76. [76]
    RFC 3030: SMTP Service Extensions for Transmission of Large and Binary MIME Messages
    ### Summary of BINARYMIME SMTP Extension (RFC 3030)
  77. [77]
    RFC 1870: SMTP Service Extension for Message Size Declaration
    ### Summary of RFC 1870: SMTP Service Extension for Message Size Declaration
  78. [78]
    RFC 6530: Overview and Framework for Internationalized Email
    ### Summary of RFC 6530: Email Address Internationalization (EAI)
  79. [79]
    RFC 6531: SMTP Extension for Internationalized Email
    ### Summary of RFC 6531: SMTP Extension for Internationalized Email (SMTPUTF8)
  80. [80]
    RFC 3207 - SMTP Service Extension for - IETF Datatracker
    This document describes an extension to the SMTP (Simple Mail Transfer Protocol) service that allows an SMTP server and client to use TLS (Transport Layer ...
  81. [81]
    RFC 7671: The DNS-Based Authentication of Named Entities (DANE) Protocol: Updates and Operational Guidance
    ### Summary of DNS-based Authentication of Named Entities (DANE) for TLS in SMTP (RFC 7671)
  82. [82]
    RFC 8461 - SMTP MTA Strict Transport Security (MTA-STS)
    MTA-STS is a mechanism enabling mail service providers (SPs) to declare their ability to receive Transport Layer Security (TLS) secure SMTP connections.
  83. [83]
    RFC 8460 - SMTP TLS Reporting - IETF Datatracker
    This document describes a reporting mechanism and format by which sending systems can share statistics and specific information about potential failures with ...
  84. [84]
    The History of Digital Spam - Communications of the ACM
    Aug 1, 2019 · In this article, I will briefly review the history of digital spam: starting from its quintessential incarnation, spam emails, to modern-days forms of spam.
  85. [85]
    RFC 7208 - Sender Policy Framework (SPF) for Authorizing Use of ...
    This document describes version 1 of the Sender Policy Framework (SPF) protocol, whereby ADministrative Management Domains (ADMDs) can explicitly authorize the ...
  86. [86]
    RFC 6376 - DomainKeys Identified Mail (DKIM) Signatures
    DomainKeys Identified Mail (DKIM) permits a person, role, or organization that owns the signing domain to claim some responsibility for a message.
  87. [87]
    RFC 7489 - Domain-based Message Authentication, Reporting, and ...
    DMARC is a scalable mechanism by which a mail-originating organization can express domain-level policies and preferences for message validation, disposition, ...
  88. [88]
    [PDF] SPAM FILTER ANALYSIS∗
    Apr 28, 2004 · In this paper we investigate the effectiveness of several spam filtering techniques and technologies. Our analysis was performed by simulating ...Missing: scanning | Show results with:scanning<|control11|><|separator|>
  89. [89]
    25 years of Postfix - LWN.net
    Dec 14, 2023 · Wietse Venema posted a note to the postfix-users mailing list about the 25th anniversary of the Postfix mail server. As can be seen, ...
  90. [90]
    Using Postfix for Secure SMTP Gateways
    The main purpose for postfix's existence is sendmail's complexity. Postfix is a full-featured MTA, and therefore its core functions are the same as any other's.
  91. [91]
    The Postfix Home Page
    Postfix is Wietse Venema's mail server, an alternative to Sendmail, that attempts to be fast, easy to administer, and secure.Download (source) · Postfix Documentation · Postfix Announcements · Mailing listsMissing: history | Show results with:history
  92. [92]
    [PDF] Specification of the Exim Mail Transfer Agent
    The primary site for Exim source distributions is the exim.org FTP site, available over HTTPS, HTTP and FTP. These services, and the exim.org website, are ...<|control11|><|separator|>
  93. [93]
    Exim Internet Mailer
    Exim is a message transfer agent (MTA) originally developed at the University of Cambridge for use on Unix systems connected to the Internet.Download · Documentation · Of /static/doc/security · CreditsMissing: history features
  94. [94]
    The Architecture of Open Source Applications (Volume 1)Sendmail
    SMTP development started in November 1981. The Computer Science Research Group (CSRG) at U.C. Berkeley had gotten the DARPA contract to produce a Unix-based ...
  95. [95]
    Sendmail Sentrion Open Source - Open Source Email Server | Proofpoint US
    ### Summary of Open Source Sendmail History and Key Features
  96. [96]
    sSMTP - Debian Wiki
    Aug 28, 2025 · sSMTP is a simple MTA to deliver mail from a computer to a mail hub (SMTP server). sSMTP is simple and lightweight, there are no daemons or anything hogging up ...
  97. [97]
    How to set up a multifunction device or application to send email ...
    May 3, 2025 · This article explains how you can send email from devices and business applications when all of your mailboxes are in Microsoft 365 or Office 365.Email SMTP support in Azure... · Exchange Online to retire...
  98. [98]
    https://www.proofpoint.com/us/products/email-security-and-protection/secure-email-relay
  99. [99]
    Configure Secure Email Gateway Outbound Relay Mode - Cisco
    Feb 25, 2025 · The new SEG feature, Outbound Relay, permits the conversion from a traditional SEG to a dedicated outbound mass delivery Mail Transfer Agent (MTA).Missing: IronPort | Show results with:IronPort
  100. [100]
    User Guide for AsyncOS 16.0 for Cisco Secure Email Gateway
    Oct 3, 2024 · Secure Email Relay is a feature that lets you send large volumes of emails using the Secure Email Gateway. This feature is only available for ...
  101. [101]
    Secure Email Relay (SER) Solutions - Service Provider | Proofpoint US
    Apr 25, 2022 · Proofpoint Secure Email Relay is a solution for your application email to protect recipients by only allowing approved sources.Missing: proxy | Show results with:proxy
  102. [102]
    Secure Email Gateway - Mimecast
    Mimecast's Secure Email Gateway provides AI-powered email security - a 100% cloud-native secure email gateway solution. Learn more about secure email ...
  103. [103]
    [PDF] The Internet Worm Program: An Analysis - Purdue University
    Nov 3, 1988 · On the evening of 2 November 1988, someone infected the Internet with a worm program. That program exploited flaws in utility programs in ...
  104. [104]
    Sendmail/Postfix Milters in Python - Business Management Systems
    Jul 11, 2015 · Sendmail introduced a new API beginning with version 8.10 - libmilter. Sendmail 8.12 officially released libmilter. Version 8.12 seems to be ...Missing: date | Show results with:date
  105. [105]
    The qmail security guarantee
    The reason I started the qmail project was that I was sick of the security holes in sendmail and other MTAs. Here's what I wrote in December 1995: Every few ...Missing: focused unmaintained forks netqmail
  106. [106]
    notqmail
    - **notqmail**: Open Source successor to qmail and netqmail; aims for stability, compatibility, extensibility, easy packaging, and modernity.
  107. [107]
    http://netqmail.org/