Email Protocols

Email Protocols: How Messages Move

Every time you click "Send" on an email, specific Application Layer protocols are working behind the scenes to route that message across the globe. Understanding these protocols is vital for cybersecurity, as email remains the #1 delivery method for phishing and malware attacks.

1. SMTP (Simple Mail Transfer Protocol)

SMTP is for SENDING emails. When you write an email, your email client uses SMTP to push the message from your device to your provider's mail server, and then routes it across the internet to the recipient's mail server.

• Standard Port: Port 25
• Secure Port: Port 465 (SMTPS) or 587

2. POP3 (Post Office Protocol version 3)

POP3 is for RECEIVING emails. POP3 is an older protocol that downloads your email from the mail server directly to your local device (like your laptop) and then deletes it from the server.

• Use Case: Good if you only ever check your email on one single device and want to save server storage space.
• Standard Port: Port 110
• Secure Port: Port 995

3. IMAP (Internet Message Access Protocol)

IMAP is for SYNCING emails. IMAP is the modern standard for receiving email. Instead of downloading and deleting the message, IMAP simply lets your device read the message while keeping it stored safely on the central mail server.

• Use Case: Perfect for users who check their email across multiple devices (phone, laptop, tablet). If you read an email on your phone, it shows as "read" on your laptop too.
• Standard Port: Port 143
• Secure Port: Port 993

Email Security

Standard email protocols originally sent messages in plain, unencrypted text. Today, servers use TLS (Transport Layer Security) to encrypt the connection. This means attackers cannot intercept and read your emails while they travel across the internet.

Advanced Email Authentication (Spoofing Defense)

How does an attacker send you an email that looks like it perfectly came from support@paypal.com? It is called Email Spoofing. Because SMTP was built without security in mind, anyone can technically type any return address they want on an outgoing email.

To prevent this massive security flaw, organizations implement three powerful DNS records:

1. SPF (Sender Policy Framework): A public list of exact IP addresses that are legally allowed to send emails on behalf of a domain. If an email arrives from a hacker's IP address not on that list, the receiving server flags it as spam.
2. DKIM (DomainKeys Identified Mail): Adds a hidden, cryptographic digital signature to the email header. The receiving server uses this signature to mathematically prove that the email wasn't tampered with or altered while crossing the internet.
3. DMARC (Domain-based Message Authentication): The ultimate boss. It looks at the results of both SPF and DKIM. If an email fails those checks, DMARC tells the receiving server exactly what to do with the fake email (e.g., "Delete it immediately, do not even put it in the spam folder").