Dorokhov.codes

01. How it works

SMTP

SMTP is the standard protocol for sending mail between servers. Your mail client authenticates (usually with a username and password), and the SMTP server accepts the message for delivery.

Finding the recipient’s server

  • The SMTP server looks at the recipient’s email address (e.g., alice@example.com).
  • It extracts the domain (example.com) and queries the DNS system for MX records (Mail eXchanger).
  • These records tell it which server is responsible for handling mail for that domain.

Transporting the message

  • Your SMTP server then contacts the recipient’s SMTP server (using TCP port 25, usually).
  • If accepted, the receiving server stores the email in the recipient’s mailbox.

Retrieving the email

  • The recipient doesn’t connect to SMTP directly to read it.
  • Instead, they use protocols for retrieval:
    • POP3 (Post Office Protocol v3) — downloads and often removes mail from the server.
    • IMAP (Internet Message Access Protocol) — synchronizes mail between server and client, keeping copies on the server.

Modern webmail (like Gmail) is just a web app talking to IMAP/POP/SMTP servers in the background.

Security layers

To prevent spam and forgery, email systems use:

  • SPF (Sender Policy Framework) — checks if a sender is allowed to send for a domain.
  • DKIM (DomainKeys Identified Mail) — digital signatures for authenticity.
  • DMARC — policy telling recipients how to handle failed SPF/DKIM checks.

SPF

SPF is a DNS-based mechanism that lets the owner of a domain specify which mail servers are allowed to send email on behalf of that domain.

With SPF, receiving servers can check whether the sending server is actually authorized by the domain owner.

You set up a TXT record in your DNS with the SPF policy. Example for example.com:

example.com. TXT "v=spf1 ip4:203.0.113.25 include:_spf.google.com -all"
  • v=spf1 → SPF version 1
  • ip4:203.0.113.25 → allow this IP to send
  • include:_spf.google.com → also allow Google’s servers (if you use Gmail)
  • -all → reject all other senders

When a receiving server gets an email claiming to be from @example.com, it:

  • Extracts the sender’s IP.
  • Looks up the SPF TXT record of example.com.
  • Checks if the IP is listed in the allowed set.

In short: SPF = DNS rulebook of who can send mail for your domain.

DKIM

DKIM (DomainKeys Identified Mail) is an email authentication method that lets the receiving mail server verify that an email was actually sent from the domain it claims and that the message wasn’t altered in transit.

  1. Sender prepares the email
    • The sending mail server takes certain parts of the email (like headers + body), hashes them, and encrypts the hash using a private DKIM key.
    • This creates a DKIM signature, which is added as a header (DKIM-Signature) to the email.
  2. Receiver checks the signature
    • The receiving server looks up the sender’s domain DNS for a DKIM record (a TXT record).
    • The record contains the public key.
    • The server uses the public key to decrypt the signature and verify the hash against the actual message content.
  3. Result
    • If the hashes match → the message is verified as authentic (not altered + legitimately sent).
    • If they don’t → the DKIM check fails.

A DKIM record is stored as a TXT record under a selector (a prefix used to distinguish multiple keys).

selector1._domainkey.example.com  IN  TXT  "v=DKIM1; k=rsa; p=MIIBIjANBgkqhki..."
  • selector1 → name chosen by the sender, tells which key to use
  • _domainkey → fixed label for DKIM
  • p=... → the public key

Benefits of DKIM

  • Ensures message integrity (not modified in transit).
  • Proves domain authenticity (sender really owns the domain).
  • Reduces risk of spoofing & phishing.
  • Contributes to a good email reputation (important for inbox delivery).

DMARC

DMARC is an email authentication protocol that builds on SPF and DKIM. It allows a domain owner to publish policies in DNS that tell receiving mail servers what to do if a message fails SPF and/or DKIM checks.

It also enables reporting, so the domain owner can see who is sending emails on their behalf (legitimate or fraudulent).

  • DMARC requires that the email’s “From:” domain matches (or aligns with) the domain used in SPF or DKIM.
  • This prevents attackers from passing SPF/DKIM with unrelated domains.

TXT-record example:

"v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@example.com; ruf=mailto:dmarc-failures@example.com; fo=1"