← Back

Email

Sending or receiving messages (SMTP) over the Internet (TCP/IP)

MUA - Mail User Agent

Mail clients interfacing with user. For example, Freshsales.

MTA - Mail Transfer Agent

Looks up recipient servers' MX records and transfers the email.

MUA -> MTA -> MTA -> MTA -> MTA -> MDA -> Recipient Mailbox
       ---    -----------------
    MX server     SMTP relay

SMTP Relay

Extra hops that happen between the recipient MX server and MDA.

SPF - Sender Policy Framework

Lists the IPs of mail servers allowed to send emails from a domain.

SPF is only concerned with the MailFrom address. It is not checked against the HeaderFrom address so does not in any way protect against header from spoofing or display name spoofing.

Even if you specify "hard fail" in your SPF record they may accept it on failure. (Lots of receiving mail servers treat -all and ~all exactly the same.)

DKIM - Domain Key Identified Mail

DKIM authenticates the domain that affixed a signature to the message. An encrypted signature is added to the header of all outgoing messages. Email servers that get signed messages use DKIM to decrypt the message header, and verify the message was not changed after it was sent.

It is an additional level of protection. DKIM by itself prevents nothing.

DMARC - Domain-based Message Authentication Reporting and Conformance

The DMARC record of the domain in the HeaderFrom address is used if it exists as most Mail User Agents (MUAs) represent this field as the originator of the message.

DMARC's conformance check is called "alignment" and it checks that the header from is "aligned" with other authenticated domains on the message either via DKIM or SPF. If either DKIM or SPF alignment passes DMARC evaluates as a "PASS."

SPF Alignment: The domain in the HeaderFrom and MailFrom must be the same (or sub-domains of the same parent domain if "relaxed") and must pass SPF.

DKIM Alignment: DMARC requires a valid signature where the domain specified in the d= tag aligns with the domain from the HeaderFrom field.

There are 3 DMARC policies:

  1. Monitor p=none allows unqualified emails to go to the recipient’s inbox or other folders.

  2. Quarantine p=quarantine directs unqualified emails to go to the recipient’s junk or spam folder.

  3. Reject p=reject blocks unqualified emails from getting to the recipient.

DMARC tells receiving mail servers what to do when they get a message that appears to be from your organization, but doesn't pass authentication checks, or doesn’t meet the authentication requirements in your DMARC policy record.

Receivers supply senders with information about their mail authentication infrastructure while senders tell receivers what to do when a message is received that does not authenticate.

Display name spoofing

None of the mechanisms care about the display name.

Check SSL Certificate

openssl s_client -crlf -connect imap.gmail.com:993