Email is quite possibly the most ubiquitous technology we use today. Although it is starting to see a little age, it still seems to chug along and stay in the forefront of our daily lives.
With all the great benefits that email provides, there are also caveats. There are scandals, phishing, SPAM, and several other issues with email that can almost make it unusable. Luckily, changes are constantly being made in the world of Email to help prevent these caveats. This is why you should make sure you know how email works!
No matter which path you take in the IT world, you WILL encounter email. Sysadmins have to manage email systems such as Exchange, Developers have to manage emails from their programs, Security professionals have to ensure email is safe and secure, and so on.
Alright, now that we have the why out of the way, let’s put on our wetsuits and dive into the wonderful, and sometimes complicated, world of email!
How does email work?
Let’s kick this guide off by going through some protocols and theory. I know, that sounds like a party, doesn’t it?! Well, to get to the fun stuff, we’ve got to do a little legwork!
First up, let’s go over the protocols, or communication methods, of email:
⦁The Simple Mail Transfer Protocol is the granddaddy of email and still the method by which email is sent and received by servers today.
⦁SMTP was defined in 1982 (Crazy, right?!) https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol
⦁SMTP runs unsecured over port 25 and secured with a SSL/TLS certificate over port 587
⦁Many ISPs block port 25 and 587 for residential connections.
⦁POP3 is the third version of the “Post Office Protocol” which has been around since the beginning. POP has been around since the 80s with POP3 originated in 1988. https://en.wikipedia.org/wiki/Post_Office_Protocol
⦁POP3 is a largely deprecated protocol in favor of IMAP (with some notable exceptions, such as GMAIL promoting their POP feature.)
⦁POP3 is a “Pull only” protocol which means that your email client must reach out to fetch new messages. This can be scheduled to occur at certain intervals or performed manually.
⦁POP3 communicates over port 110 and “Secure POP3”, which uses an SSL/TLS certificate, communicates over port 995.
⦁IMAP is the current universal standard for most email clients. Clients such as Outlook can retrieve email from Gmail, Yahoo, AOL, etc. using the IMAP protocol.
⦁IMAP is a push and pull protocol that keeps folders and emails in sync at all times. Unlike POP3, if an email arrives, an IMAP client will detect this change and retrieve the message immediately as opposed to a set schedule.
⦁IMAP uses port 143 and secured port 993.
⦁This is the protocol you will find in an enormous number of schools, businesses, and other organizations that host their own email using Microsoft Exchange. If you have ever used Microsoft Outlook with an Exchange server, you have used MAPI.
⦁MAPI is a proprietary protocol that allows Microsoft’s Outlook client to transfer calendar, delegate, contact, and other important information between the Exchange server and Outlook.
⦁MAPI is considered incredibly robust and supports many features that IMAP and POP3 cannot support. This is why many organizations that rely heavily on Administrative Assistants and Executive Admins still prefer Outlook and Exchange/Office 365 today.
⦁HTTPS is used to deliver secure webpages and it is how email is accessed without a full client such as Outlook.
⦁GMAIL, Outlook on the Web, Yahoo, AOL, etc. all deliver their primary email servers via HTTPS webpages that you sign into.
⦁These email services can typically be setup on a client using IMAP, but it is very convenient just to open the email in a browser.
⦁A “Mail Exchanger” record is a DNS record that directs email to the appropriate mail server for the domain.
Common Email Software
Now that we’ve mentioned protocols, let’s quickly go over some of the software that is used today. Obviously, there is a LOT more software than I’ll mention here, but I want to just go over some of the primary software you will find in the wild.
⦁Outlook is still the most widely used desktop email client today. https://www.campaignmonitor.com/resources/guides/most-popular-email-clients/
⦁Outlook communicates with Exchange servers over MAPI or to other email providers such as Gmail by IMAP.
⦁Exchange is a very common Email server for on-premises corporate email. You can’t go far in the corporate, education, or government world without running into an Exchange Server.
⦁Exchange manages calendars, contacts, email, documents, and many other features that large organizations use.
⦁Microsoft has taken Exchange to the cloud as Office 365, which many organizations are migrating to. https://www.okta.com/blog/2015/01/office-365-adoption-goes-through-the-roof/
⦁MailEnable is a client that is very popular among hosting companies. It integrates easy with control panels, such as CPanel, and has a free version available. If you are looking for an easy way to host your own email on a Windows server, this is certainly a decent option. https://www.mailenable.com/
⦁PostFix is a mail system for Linux that allows the sending and receiving of mail. It is a no-frills option for those who wish to have email integrated with their applications or websites hosted in a Linux environment.
The Parts and the Process
Alright! We’ve knocked out some terminology; now let’s go through the process!
I’m going to use Outlook and Exchange as an example here as they are still very widely used. Just know that this process is very similar for any software you use.
1. First up, let’s say someone named Selena Kyle is sending an email to Barbara Gordon. Selena Kyle opens her Outlook client and writes the email and hits “send”.
Subject: You can’t find me!
Body: Sorry you missed me last night; better luck next time!
2. After the email leaves the client, it is transported to the SMTP server. You can consider the SMTP server to be akin to a post office. In this case, the SMTP server is an Exchange server that Outlook is continuously connected to. This is just like the mail carrier picking up your mail and delivering it to the post office, with the Exchange server being the post office.
3. Once the Exchange server receives the email, it needs to process it and determine where it goes. So the Exchange server (post office) examines the destination information contained in the “header” of the email.
4. Once the Exchange server finds the recipient, it uses ⦁DNS to determine the MX records for the email. Let’s say the server finds this for the ⦁firstname.lastname@example.org MX records:
Gothamcityheroes.com. 299 IN MX 10 aspmx.l.google.com.
5. Great! The server has found the information it needs to send the email! Using the MX record, it sees that email for gothamcityheroes.com is hosted by Google and knows to send the email to the aspmx.l.google.com server!
6. The Exchange server places the email in the outgoing queue and it is sent over the internet to the Google “inbound gateway” server it retrieved from the DNS lookup.
7. Once the email arrives in the inbound queue of the inbound gateway, it must decide how to process it. In many cases, there may be a separate inbound gateway that serves as a proxy for the email server. This inbound gateway will perform SPAM checks and other security operations before it is sent to the email server.
8. Once the email enters the inbound queue, the server needs to find out where to send it. Google obviously hosts more than just one domain per server, so it needs to find the proper recipient. Google checks its directory to determine where the mailbox is located. Exchange uses “Active Directory” and Google uses its own Directory Protocol.
9. The Google server finds the proper domain, examines all rules in place for that domain, and delivers the message. If the message looked “spammy” or was addressed to a person that doesn’t exist at gothamcityheroes.com, rules would be in place to determine how to handle that. If the message looks suspicious, Gmail may use its antivirus algorithms to determine that the email will be blocked. Luckily, in this case, Selena Kyle isn’t trying to hurt Barbara Gordon, just send a message.
10. The Google server places the email in its delivery queue and sends the email to Barbara’s mailbox and Barbara is notified on her Android Batphone that she has received a new email!
11. Barbara can then reply and start the process all over again!
From: Barbara Gordon (email@example.com)
To: Selena Kyle (firstname.lastname@example.org)
Subject: Re: You can’t find me!
Body: I’ve left some catnip on your back porch, come try some!
Ok, now that we’ve gone through that process, let’s take a look at some of the components in real life! Let’s take a look at a header for an email!
Open your email client, whether it’s Gmail, Outlook, Yahoo, etc. and open an email. From this email, you want to obtain the header. To do this, you may need to do a little research for your individual client. Here is the Gmail method for reference.
⦁Open an email and click on the three vertical dots as shown in the image.
⦁Click on “<> Show Original”.
⦁The “Original Message” should open in another tab and WOW does it have a lot of information!
⦁If you spend enough time, you can certainly parse through this and figure out what’s going on, but luckily, there’s a way to save your eyes and your sanity.
⦁Copy the information, you can use “the copy to clipboard” option if you’re using Gmail. (If you aren’t using Gmail, your original email may be unencrypted, so it’s best to do this with a random email that you don’t care about. Please don’t send any privileged information to MX Toolbox.)
⦁Open a new tab and go to:
⦁Once on the site, paste the information you copied from the previous step to the blank provided.
⦁Once you have copied the information into the blank, click “Analyze Header”.
⦁As you can see, the process from the email example is present in the header, including times at each server! This makes a lot more sense! Although some headers will have fewer steps than others, you can still see them all. If you have a Gmail account and you receive an email from another Gmail account, the steps required will obviously be much fewer than if the email has to traverse multiple servers to get to you.
We’ve gone through why you need to know email and how it works, but how about how to make it work securely? This is a topic that seems to become more necessary every day!
Email Security is an enormous topic that could be written in volumes, but I’m going to try to provide a brief overview in a few paragraphs, so let’s get to it!
⦁“Email Spoofing” is when an attacker or other miscreant pretends to be you by modifying the “from address” of an email with your email address instead of theirs.
⦁Although a spoofed email appears to be from you, if you inspect the email, you can see that the IP address of the sending server does not match your server.
⦁There are many ways to help prevent this, a few of which are as follows:
⦁ SPF: “Sender Policy Framework” is a method by which receiving email servers can check to ensure an email arrived from a host approved by the domain. This is achieved by adding a “TXT” record to DNS records which validates An example of an SPF record is:
example.com. IN TXT "v=spf1 ip4:192.0.2.0/24 ip4:198.51.100.123 a -all"
As you can see, the IP address for the email host is listed and, as long as the sending server matches that, the email will be received properly.
⦁DKIM: “DomainKeys Identified Mail” takes SPF a step further. Where SPF verifies the server IP is legitimate, the DKIM verifies the email has not been modified in any way after the original server received it and that the domain in the sender address matches the domain from which it was sent. This helps prevent spammers and scammers from modifying an email and redistributing it as their own or modifying the email address and scamming unsuspecting victims by pretending to be someone they’re not.
⦁DMARC: “Domain-based Message Authentication, Reporting and Conformance” (I would recommend sticking to DMARC for this one!) is the policy applied to emails that fail SPF or DKIM checks. This policy is created in DNS to instruct receiving mail servers to accept or reject emails that fail policy.
⦁A DMARC policy looks like this:
v=DMARC1; p=reject; pct=100; rua=mailto:email@example.com;
⦁V = version number; p = policy; pct = percentage of email to be affected by this policy; rua = the email server to send block reports to.
⦁You can find a DMARC policy using many tools, but one of the easiest to use is here:
⦁Many people forward email from one server to another. For instance, you may want to forward your Exchange email from school to your Gmail account. If an email comes to your school account from an email domain that has “p=reject” as the policy, this can actually cause your forwarded email to bounce or go straight to spam! This article from AOL actually explains more:
All of these security settings are certainly great things, but can definitely cause issues if you have an organization with users highly reliant on forwarding. This being said, it is a much better move to set “p=reject” than it is to just risk the safety of your assets just for a few people who want to forward email.
As you have probably seen in the news over the past few years, encryption is extremely important in your email to prevent prying eyes from getting ahold of your sensitive information! Encryption is largely being deployed natively by most web hosts now, especially Gmail, so this isn’t as important of a topic, but you should definitely be exposed to it!
⦁PGP: “Pretty Good Privacy” is an encryption method widely used for email. It works by allowing you to create a private key that you keep and a public key to distribute to your recipients. This process gets pretty complicated, so I recommend you read up on it as a cursory knowledge of email encryption will certainly do you good in whatever career path you choose!
⦁S/MIME: “Secure/Multipurpose Internet Mail Extensions” is another encryption protocol that allows the sending of signed and encrypted emails. More on this standard can be found here
Spam and Phishing
We’ve all heard of SPAM and probably suffer from it on a daily basis. Either our email boxes are inundated with it or we have no Spam, but our Spam filters are blocking important messages because they are too sensitive.
There are several methods out there to block Spam including, but not limited to, Spam filters, blacklists, and SPF/DKIM/DMARC. Due to its enormous complexity, I’m not going to delve too deep into Spam concepts; I’m just going to cover a few tips and suggestions:
⦁Don’t sign up for mailing lists or sketchy “free things” with your primary email! Email providers such as Outlook.com actually has an “alias” function that allows you to create an email alias. Many people will create an email alias like: ⦁ firstname.lastname@example.org which allows you to see what company you signed up for and to whom they sold your information if they did. More info can be found here:
⦁Don’t flag unwanted mail as spam unless it really is spam. If you signed up for a service, throw it away and unsubscribe. Flagging it as spam hurts the organization if it is marked as spam enough. This causes it to be placed on a blacklist, which can be a long and arduous process to be removed from.
⦁Sometimes, you may find yourself on this blacklist if your server has what’s called an “open relay” that is exploited and your server starts sending spam. Ensure that anytime you use an SMTP server with an application you employ SPF, DKIM, DMARC and secure the connection to your server with a complex password.
⦁If you need to see if your domain is on a blacklist, you can check here:
⦁If you receive an email from someone you don’t know or a suspicious email you didn’t expect from someone you do, it’s always a good idea to inspect the header of the email to ensure the address matches. Many spoofers will change the “from” address, but their domain will stay the same in the header, which will give them away immediately.
⦁If a company asks for a password in an email, it’s probably fraudulent. Always go to the website in question to perform any password operations and don’t sign into sites directly from an email.
⦁To avoid being flagged as Spam, it’s usually best to include a subject and a body of at least some text. Even if you’re just sending an attachment or one link, if you aren’t in the recipient’s address book, their system may flag you as spam if you send an email with a blank subject or just an attachment.
I hope everyone enjoyed the guide and learned a little something! Now get back to emailing!