Ever wonder what happens when you send an email, and what the various systems and components are that facilitates the whole process? In our digital age, we all communicate over email, and even more nefariously, the bad guys do too: from sending credential harvesting links to a malware download, the email the most viable way for an attacker to penetrate through the hardened servers.

Before we talk about the security aspects, let look at the whole flow of what happens when you click send on your email application.

MUA

The email application where you write and receive emails is called the Mail User Agent (MUA). This could be Hotmail, Gmail, Thunderbird, or any application that is able to send and read emails.

These mail clients can be accessed either as a local application, or through your browser as a web application.

MSA

When you have written up an email and hit the send button, the mail is transferred from the MUA to the Mail Submission Agent (MSA) on the mail server. This traffic from the MUA to the MSA happens over port 587.

The MUA is required to authenticate and authorize itself to the MSA through an extended SMTP protocol called ESMTPA, or extended SMTP-AUTH.

The MSA does policy enforcement on the received mail from the MUA, and checks that the mail is syntactically valid. Once it has confirmed that the mail is error free, it then passes it on to the MTA.

(Sending) MTA

A mail that has passed the MSA’s validation check is transferred to the Mail Transfer Agent (MTA), which also resides on the mail server. The traffic between the MSA and the MTA happens over port 25.

The role of the MTA is transfer the mail from the mail server where it was sent, to the mail server that is slated to receive it. To find out the IP address of the receiving mail server, the MTA performs a DNS lookup of the recipients domain, and gets the MX record.

Once the recipients mail server IP address has been obtained, the sending MTA then transfers the mail over to the receiving MTA over port 25

(Receiving) MTA, MDA

The sending MTA transfers the mail to the receiving MTA, and passes the message down to the Mail Delivery Agent (MDA). The MTA to MDA traffic happens over port 25.

The MDA then places the received mail into the Mailbox, the the recipient’s MUA will either use POP3 or IMAP to pull the email down to his application. POP3 will pull the message down and delete it, while IMAP does not delete, and allows the message to stay on the server to be synced with other devices or applications.

Security and Spam

In this short post, we’ve briefly went through the process and systems involved in sending an email. In the next post, we’ll explore more about the security frameworks used to protect people from unwanted email, or spam.

We’ll look into things like Send Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting and Conformance (DMARC).