On this page
SMTP
SMTP is one of the oldest protocols on the Internet—mail hops between MTAs from HELO to DATA to QUIT. The three layers of "patches" SPF/DKIM/DMARC attempt to establish sender authentication on SMTP’s trust model.
Overview
SMTP is one of the oldest protocols on the Internet (1982) and remains the foundation for global email transmission today. It transmits email over TCP connections using a simple command-response model. The core concept is the separation of the envelope (MAIL FROM/RCPT TO) and the header (From/To)—the envelope determines routing, while the header is what users see. SPF verifies the sender's server IP, DKIM signs the email content, and DMARC unifies their policies—the three work together to defend against spam and domain spoofing.
SMTP Session Model
SMTP uses a command-response mode (similar to FTP). All transmission occurs over a TCP connection:
S: 220 mail.example.com ESMTP Postfix
C: EHLO client.example.com ← EHLO = Extended HELLO
S: 250-mail.example.com
S: 250-STARTTLS
S: 250-PIPELINING
S: 250-SIZE 52428800
S: 250 AUTH PLAIN LOGIN
C: STARTTLS ← Upgrade to TLS
S: 220 Ready to start TLS
(C: TLS handshake)
C: EHLO client.example.com ← re-EHLO after STARTTLS (new negotiation)
C: AUTH PLAIN <base64(\0user\0pass)> ← Authentication
S: 235 2.7.0 Authentication successful
C: MAIL FROM:<sender@example.com> ← envelope-from (bounce address, SPF checks this)
S: 250 2.1.0 Ok
C: RCPT TO:<recipient@example.org> ← envelope-to
S: 250 2.1.5 Ok
C: DATA
S: 354 End data with <CR><LF>.<CR><LF>
C: From: Sender <sender@example.com> ← header-from (what users see, DMARC alignment)
C: To: Recipient <recipient@example.org>
C: Subject: Test
C: Date: Thu, 01 Jan 2025 00:00:00 +0000
C: Message-ID: <abc123@example.com>
C:
C: Hello, World
C: . ← Single line '.' ends DATA
S: 250 2.0.0 Ok: queued as 1A2B3C4D5E
C: QUIT
S: 221 2.0.0 Bye
Envelope vs Header
Key distinction: The SMTP envelope (MAIL FROM / RCPT TO) and the message header (From / To) are independent. SPF checks the envelope-from domain. DMARC enforces alignment (header From domain == envelope-from domain or DKIM domain).
SMTP Ports
25: MTA↔MTA relay (traditional, rarely used for clients now)
587: Submission (client → MSA, requires STARTTLS + AUTH)
465: SMTPS (SMTP over TLS, non-standard but widely used, now recognized by RFC 8314)
SPF
DNS: example.com TXT "v=spf1 ip4:192.0.2.0/24 include:_spf.google.com -all"
Receiving MTA:
1. Look up the SPF record for the MAIL FROM domain
2. Verify whether the connecting source IP is in the SPF authorized list
3. Result: Pass / Fail / SoftFail (~all) / Neutral (?all) / None (no SPF)
If Fail + DMARC reject → Reject (550 5.7.1 SPF failed)
DKIM
Signing: The MTA signs selected headers (from, to, subject, date, message-id) +
body hash (SHA-256) using a private key
DKIM-Signature header:
v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com; s=default;
h=from:to:subject:date:message-id;
bh=<base64(SHA256(canonicalized body))>;
b=<base64(RSA-SIGN(header hash + body hash))>
DNS: default._domainkey.example.com TXT "v=DKIM1; k=rsa; p=<public key>"
Verification: The MTA retrieves p= → verifies the signature → compares bh → OK
DMARC
DNS: _dmarc.example.com TXT "v=DMARC1; p=reject; rua=mailto:dmarc@example.com; pct=100"
Verification:
1. SPF alignment: envelope-from domain == header From domain? (strict or relaxed)
2. DKIM alignment: d= domain == header From domain? (strict or relaxed)
3. If either passes → DMARC pass
4. If both fail → Apply policy: none (report only), quarantine (mark as spam), reject (reject)
rua: Aggregate reports (daily, XML)
ruf: Forensic failure reports (rarely used, privacy concerns)
pct: Percentage of enforcement (100 = fully enforced)
References
- Tools:
swaks --to user@example.com --server mail.example.com --tls,dig TXT _dmarc.example.com - mxtoolbox.com for SPF/DKIM/DMARC validation
Keywords: SMTP, EHLO, envelope, STARTTLS, SPF, DKIM, DMARC, alignment, submission