anavem.
Back to Glossary
S

SMTP (Simple Mail Transfer Protocol)

SMTP is the standard protocol used to send and relay email messages between mail servers and from email clients to servers.

What is SMTP?

Simple Mail Transfer Protocol (SMTP) is the core protocol responsible for sending email across networks. It is used when an email is submitted by a client and when messages are transferred between mail servers on the internet. SMTP handles message routing but does not manage mailbox storage or message retrieval.

Why SMTP matters

SMTP is essential because it:

  • Enables email delivery worldwide
  • Routes messages between mail servers
  • Works with authentication and security extensions
  • Forms the backbone of enterprise and internet email systems

Every email you send relies on SMTP at some stage.

How SMTP works (simplified)

A typical SMTP flow:

  1. The email client submits a message to an SMTP server
  2. The server authenticates the sender (if required)
  3. The message is relayed to recipient mail servers
  4. The recipient server accepts or rejects the message
  5. The message is stored for retrieval via IMAP or POP3

SMTP is designed for reliable message transfer, not message storage.

SMTP ports and security

Common SMTP ports include:

  • Port 25 – server-to-server mail transfer (often restricted)
  • Port 587 – message submission with authentication (recommended)
  • Port 465 – SMTP over TLS (legacy but still used)

Best practice is to use port 587 with STARTTLS.

SMTP and TLS

SMTP supports encryption using:

  • STARTTLS to upgrade connections to TLS
  • Encrypted channels to protect credentials and message content

Without TLS, SMTP traffic can be intercepted or modified.

SMTP authentication

Modern SMTP servers require:

  • User authentication for message submission
  • Protection against open relay abuse
  • Integration with email authentication standards

SMTP authentication helps prevent spam and unauthorized use.

SMTP and spam prevention

SMTP works alongside:

  • SPF to verify authorized sending servers
  • DKIM to sign and verify messages
  • DMARC to enforce domain policies

SMTP alone does not prevent spam - it relies on these additional controls.

SMTP limitations

SMTP does not:

  • Retrieve or sync emails (IMAP/POP3 handle that)
  • Encrypt messages end-to-end by default
  • Guarantee message delivery (it is best-effort)

It must be combined with other protocols and controls.

Common misconceptions

  • "SMTP is only used by email clients"
  • "SMTP encrypts emails automatically"
  • "SMTP stops spam by itself"
  • "Port 25 is the best choice for sending mail"