SMTP Relay

Email remains the backbone of business communication, but it’s also become the favourite attack vector of cyber criminals. More than 376 billion emails flow through global networks daily in 2025, and that number keeps climbing. Yet behind this massive digital exchange lies a vulnerability that security professionals can no longer ignore.

The numbers tell a sobering story. Phishing attacks surged 17.3% between September 2024 and February 2025 alone. Meanwhile, over 90% of the 7.2 billion emails processed by major security vendors qualify as spam or malicious content. Recent exploits targeting Microsoft 365’s Direct Send feature and sophisticated SMTP smuggling techniques prove that attackers have found new ways to bypass traditional email security. For the vast majority of organisations already reporting increased cyber risks, understanding the SMTP protocol that powers email communication has never been more critical.

Simple Mail Transfer Protocol (SMTP) is the foundational protocol that facilitates the transmission of email messages between servers across the internet. When an email is sent to a recipient outside the sender’s domain, SMTP relay ensures the message is routed correctly and delivered to the intended destination. First defined in RFC 821 back in 1982 and now standardised under RFC 5321, SMTP has evolved into the backbone of modern email infrastructure.

SMTP operates through three core components that work together to handle email delivery. Mail Transfer Agents (MTAs) route messages between servers, while Mail Submission Agents (MSAs) accept outgoing mail from email clients. Relay servers act as intermediaries, forwarding messages through the optimal path to reach their destination.

SMTP services act as intermediaries in the email delivery process, providing businesses and organisations with a robust infrastructure to handle outgoing emails. These services are particularly useful for sending bulk emails, such as newsletters or marketing campaigns, without straining the organisation’s own email servers.

The protocol communicates across specific network ports depending on the security requirements. Port 25 handles server-to-server transfers, port 587 manages authenticated submission from email clients, and port 465 provides encrypted SMTP over SSL/TLS. Simply put, SMTP accepts outgoing emails from the sender’s server and then forwards them to the recipient’s email server. Modern implementations include SMTP AUTH, which requires username and password authentication before accepting messages, preventing unauthorised relay abuse that plagued earlier versions. This authentication mechanism allows businesses to leverage specialised infrastructure to improve email deliverability and manage large-scale email communications while protecting their primary domain’s reputation.

The SMTP email flow follows a precise sequence of technical steps that ensure secure and reliable message delivery:

1. Connection establishment: The Mail User Agent (MUA) initiates a TCP connection to the outgoing SMTP server on port 587 (authenticated submission), 465 (SMTP over SSL), or 25 (server-to-server transfer). The server responds with a 220 status code confirming readiness.
2. SMTP Handshake: The client sends an EHLO command identifying itself with its domain name or IP address. The server responds with supported extensions and capabilities, including authentication methods and encryption options.
3. STARTTLS negotiation: If encryption isn’t already established, the client can issue a STARTTLS command to upgrade the connection to TLS. Both parties negotiate encryption parameters before proceeding.
4. Authentication: The client provides credentials through SMTP AUTH using methods like LOGIN, PLAIN, or CRAM-MD5. The server validates these credentials before accepting messages.
5. Message transfer commands: The client sends MAIL FROM specifying the envelope sender, followed by RCPT TO commands for each recipient. The server validates each command and responds with appropriate status codes.
6. Data transmission: After issuing the DATA command, the client transmits the complete message, including headers (Return-Path, Received, Message-ID, Date, From, To) and body content. Headers contain routing information and metadata that mail servers use for processing and logging.
7. DNS resolution: The sending MTA performs DNS lookups to find MX records for the recipient’s domain, identifying the destination mail server’s IP address and priority.
8. Message relay: If the recipient is external, the message passes through intermediate MTAs that add Received headers for audit trails and logging purposes. Each hop represents a formal handoff of delivery responsibility.

Email systems typically use one of two protocols for incoming messages: Post Office Protocol (POP) or Internet Message Access Protocol (IMAP). POP downloads emails to the user’s device and usually deletes them from the server, while IMAP keeps messages on the server and synchronises them across multiple devices. IMAP is more commonly used in business environments and with services like Gmail.

Throughout this process, SMTP servers maintain detailed logs recording transaction details, response codes, and delivery attempts for compliance and troubleshooting purposes.

SMTP communication relies on a standardised set of text-based commands that orchestrate every aspect of email delivery. These commands create a structured dialogue between email clients and servers, ensuring messages reach their intended destinations securely and reliably.

• HELO/EHLO: Initiates the SMTP session by identifying the sending server with its domain name or IP address. EHLO indicates support for Extended SMTP features, while HELO provides basic functionality.
• MAIL FROM: Specifies the sender’s email address and officially begins the email transaction. This creates the “return path” for delivery notifications and bounce messages.
• RCPT TO: Identifies each recipient of the message and can be repeated multiple times for messages with several recipients. The server validates each address before accepting it.
• DATA: Signals the start of message content transmission, including headers and body text. The server responds with code 354, and the message ends with a single period on its own line.
• AUTH: Authenticates the client using credentials like username and password through methods such as LOGIN, PLAIN, or CRAM-MD5. This prevents unauthorized relay abuse.
• STARTTLS: Upgrades the connection to encrypted TLS/SSL before sensitive data transmission. Both client and server negotiate encryption parameters for secure communication.
• RSET: Resets the current mail transaction without terminating the SMTP session. This clears previous commands and allows starting fresh.
• QUIT: Terminates the SMTP session cleanly, with the server responding with code 221 before closing the connection.
• NOOP: Sends a “no operation” command to verify the server is still responsive without performing any action. Useful for keeping connections alive during idle periods.

An SMTP server is a specialised software application that handles the heavy lifting of outgoing email transmission across the internet. Think of it as a digital post office that processes, validates, and routes your messages to their intended destinations. Unlike general mail servers that manage both incoming and outgoing communications, SMTP servers focus exclusively on the outbound journey.

These servers act as authenticated intermediaries between your email client and the recipient’s mail system. When you hit send, the SMTP server verifies your credentials through SMTP AUTH, validates recipient addresses, performs DNS lookups to locate destination servers, and establishes secure connections with receiving mail systems. Major providers like Gmail use smtp.gmail.com, while enterprise environments often deploy dedicated SMTP infrastructure to handle bulk communications and maintain sender reputation.

Understanding the difference between these three protocols clears up a common source of confusion for IT professionals. SMTP handles outbound email transmission, while IMAP and POP3 manage inbound message retrieval. Think of SMTP as the delivery service that sends your emails, and IMAP/POP3 as different ways of organising your inbox.

IMAP stores messages on the server and synchronises them across multiple devices, making it perfect for teams accessing email from laptops, phones, and tablets. When you read an email on your phone, it shows as read on your desktop, too. IMAP uses port 143 for standard connections and port 993 for encrypted SSL/TLS communications.

POP3 takes a different approach by downloading messages directly to your device and typically deleting them from the server afterwards. This frees up server storage but limits access to that single device. POP3 operates on port 110 for standard connections and port 995 for secure communications.

Most enterprise environments favour IMAP because it supports folder organisation on the server, advanced search capabilities, and seamless multi-device workflows. POP3 works better for single-user scenarios where offline access matters more than synchronisation. Both protocols work alongside SMTP to provide complete email functionality, with SMTP handling the sending while IMAP or POP3 manages the receiving.

Without SMTP, users could not send email messages to anyone outside of their own domain. It would eliminate the usefulness of email messages and online communication. SMTP’s critical role becomes even more apparent when considering that 99% of consumers check their email daily, making it the backbone of business operations and customer engagement. Most email clients seamlessly work with SMTP servers so that the user does not need to manually interact with the protocol. Modern email infrastructure depends entirely on SMTP’s standardised command structure to process the massive volume of daily communications securely and efficiently.

SMTP’s importance extends far beyond basic functionality into critical security and business continuity. With SMTP infrastructure, businesses can send marketing emails without having their domain blocklisted. The stakes have never been higher, considering there have been “$2.77 billion in losses caused by BEC, making it the second costliest cyber crime category overall,” linked to “21,442 incidents, which was largely consistent year over year,” as reported by Andrew Goodman, Director of Product Marketing at Proofpoint. Think of SMTP infrastructure as a way to leverage professional email delivery systems to send bulk email while maintaining sender reputation and security.

When a business domain or email server is blocklisted, email messages are dropped by a recipient’s email server, even if it’s a legitimate message sent from one sender within the organisation. Being blocked can devastate business productivity as messages are either never delivered or sent automatically to the recipient’s spam folder. SMTP infrastructure allows businesses to send email without using their own servers or domains, so that marketing messages can be separated from internal email communications.

Email client software, such as Outlook or Thunderbird, provides a graphical interface for users to work with SMTP relay. These GUI programmes provide a way for users to interact with the SMTP relay by simply configuring the software to connect to the server. If the server requires encryption over TLS/SSL or authentication, these configurations can be set up in the software. The software takes the recipient’s address, the sender’s address, and the message and connects with the SMTP server.

The primary benefit of SMTP is the ability to send messages to the intended recipient across global networks reliably and securely. No other protocol manages outgoing messages, so SMTP is configured across thousands of email servers. With email marketing generating an average ROI of $36-$45 for every dollar spent, SMTP’s role in enabling this massive economic engine cannot be overstated. Email faces evolving security challenges, so many providers have incorporated SSL/TLS with SMTP relay connections. Several other cybersecurity implementations have been added to email communication to help with cybersecurity, such as Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM), and Domain-based Message Authentication Reporting and Conformance (DMARC)—protocols that have become mandatory for major email providers to combat the surge in sophisticated email-based attacks.

Any time a user sends a message to a domain different than their own, the SMTP relay is used. Aside from this essential advantage, SMTP relay offers numerous benefits for businesses looking to optimise their email communication and marketing efforts, including:

1. Flexible Email Infrastructure

• Internal vs. cloud-based options: Businesses can choose between using their own internal SMTP servers or opting for cloud-based solutions.
• Third-party services: Platforms like G Suite and other cloud-based providers offer seamless integration with business domains, eliminating the need to maintain internal servers.

2. Enhanced Deliverability and Reputation Management

• Protection from blocklisting: SMTP relay services help businesses send marketing emails without risking their primary domain being blocklisted.
• Dedicated marketing domains: These services use separate domains for bulk email sending, shielding the business’s primary domain from potential blocks.

3. Bulk Email Handling

• High-volume capacity: SMTP relay servers are designed to efficiently handle large volumes of marketing and transactional emails.
• Scalability: Businesses can easily scale their email operations without worrying about infrastructure limitations.

4. Compliance and User Management

• Opt-out and unsubscribe features: SMTP relay services help manage these crucial functions, ensuring compliance with email marketing regulations.
• Regulatory adherence: These services help businesses comply with marketing message distribution guidelines.

5. Advanced Tracking and Analytics

• Message tracking: Businesses can monitor the journey of their emails, including delivery to inboxes and read receipts.
• Performance insights: These analytics help optimise email campaigns and improve overall email strategy.

6. User-friendly Interfaces

• Message review: Many relay services offer intuitive interfaces for reviewing marketing messages before sending.
• Campaign management: Simplified tools for creating, scheduling, and managing email campaigns.

7. Improved Security and Reliability

• Secure transmission: SMTP relay ensures messages are sent securely across the internet.
• Reduced internal server load: By offloading email handling to specialised services, businesses can focus on their core operations.

8. Cost-Effectiveness

• Reduced infrastructure costs: Minimise the need to maintain costly in-house email servers with cloud-based SMTP relay services.
• Pay-as-you-go models: Many services offer flexible pricing based on actual usage, optimising costs for businesses of all sizes.

By leveraging these benefits, businesses can significantly enhance their email communication capabilities, improve deliverability rates, and focus on creating impactful email content rather than managing complex email infrastructure.

SMTP has branched into several specialised implementations that address different business needs. The core protocol remains the same, but these variants solve specific challenges that organisations face daily. Understanding which variant to use can save significant headaches down the road.

SMTPS adds SSL/TLS encryption directly into the mix. It operates on port 465 and wraps the entire conversation in security from the start. This approach differs from STARTTLS, which begins as plain text and then upgrades to encryption when both sides agree.

Submission services handle the tricky job of accepting outbound email from your applications and devices. They authenticate senders, apply proper headers, and route messages efficiently. Relay services take this further by acting as trusted intermediaries that protect your domain reputation while ensuring delivery.

Cloud email services have changed how businesses handle email infrastructure entirely. Instead of managing your own SMTP servers, platforms like SendGrid and Amazon SES handle the technical complexity. They provide APIs alongside traditional SMTP access, making integration straightforward for development teams.

The distinction between bulk and transactional email matters tremendously for implementation. Bulk email includes newsletters and marketing campaigns that can tolerate some delay. Transactional messages like password resets and purchase confirmations need immediate delivery. Each type requires different infrastructure approaches, rate limiting, and monitoring strategies to ensure optimal performance.

SMTP’s widespread adoption makes it an attractive target for cyber criminals seeking to exploit email infrastructure. The protocol faces evolving threats that range from legacy misconfigurations to sophisticated modern attack techniques.

Open relays represent one of the most dangerous SMTP misconfigurations. When servers accept email from any sender without authentication, they become launching pads for spam campaigns and phishing attacks. Nearly half of all email traffic consists of spam, with much of it originating from compromised open relays. These exploited servers quickly find themselves blacklisted by major email providers, effectively cutting off legitimate business communications.

Email spoofing through SMTP manipulation allows attackers to impersonate trusted domains and bypass basic security controls. Threat actors exploit inconsistencies between sending and receiving mail servers to smuggle malicious content past filters. Recent attacks have demonstrated how spoofed CEO emails can trick employees into authorising fraudulent payments, highlighting the financial risks of inadequate SMTP security.

STARTTLS downgrade attacks pose a significant threat to email encryption. Attackers intercept the initial SMTP handshake and prevent the upgrade to encrypted communication, forcing messages to transmit in plain text. This technique exposes sensitive email content and credentials to interception. Command injection vulnerabilities further compound these risks by allowing malicious code execution through manipulated email headers and attachments.

Misconfiguration issues plague SMTP deployments across enterprises. Servers running without proper authentication mechanisms, outdated TLS algorithms, or incorrect access controls create entry points for unauthorised access. The upcoming deprecation of SMTP AUTH in Microsoft 365 by March 2026 will force organisations to reconfigure their email infrastructure, potentially introducing new vulnerabilities during the transition.

Credential-based attacks target SMTP authentication through brute force attempts and stolen credentials. Once attackers gain access, they can send phishing emails from legitimate domains, distribute malware, and conduct business email compromise schemes. The 94% of malware delivered via email in 2025 demonstrates how compromised SMTP servers fuel the broader threat landscape. Organisations face not only immediate operational disruption but also potential regulatory violations and severe reputational damage when their email infrastructure becomes a conduit for cyber crime.

Additionally, on-premises applications are now migrating to cloud environments. But in the cloud, secure SMTP relay options are not available, warns Ash Valeski, Senior Director of Product Management at Proofpoint. “In theory, legacy on-premises SMTP relays could continue to make DMARC and outbound filtering easy. But allowing them to relay email from external cloud environments is risky, as it means turning them into ‘open relays’ (if they are not already). In addition, SMTP relays are becoming obsolete,” Valeski says.

Securing SMTP infrastructure requires a layered approach that addresses both technical vulnerabilities and operational risks. The good news is that most effective protections can be implemented without disrupting existing email workflows. Below are some of the latest and most effective security controls.

• Enforce TLS 1.2+ encryption on all SMTP connections using port 587 for client submissions and port 465 for secure connections. Configure servers to require encryption rather than making it optional, preventing downgrade attacks that force plaintext transmission.
• Implement robust SMTP authentication with strong passwords, API keys instead of basic credentials, and multifactor authentication where possible. Rotate credentials every 30-90 days and use dedicated service accounts rather than personal mailboxes for automated systems.
• Deploy email authentication protocols, including SPF records to specify authorised sending servers, DKIM signatures to verify message integrity, and DMARC policies to instruct receiving servers how to handle authentication failures. These protocols work together to prevent spoofing and improve deliverability.
• Configure port restrictions and firewall rules to block unnecessary SMTP ports, limit connections to specific IP addresses, and prevent open relay configurations. Use IP whitelisting for internal systems and monitor for unauthorised connection attempts.
• Establish comprehensive monitoring for authentication failures, unusual sending patterns, and blocked connections. Set up automated alerts for suspicious activities like multiple failed login attempts or sudden spikes in outbound email volume.
• Regular security audits should include testing DMARC policies with spoofed emails, reviewing user access permissions, and scanning for outdated TLS configurations or weak cipher suites. Tools like SSL Labs can help assess server security posture and identify improvement areas.

These measures create multiple defensive layers that significantly reduce SMTP-related security risks while maintaining email functionality for legitimate business operations.

SMTP implementations must navigate an increasingly complex web of privacy regulations that vary significantly by jurisdiction. The stakes are high, with GDPR fines reaching up to 4% of global revenue and CCPA penalties ranging from $2,500 to $7,500 per violation. Organisations sending email across borders face the challenge of meeting multiple regulatory frameworks simultaneously.

GDPR fundamentally changed how businesses handle email data by treating privacy as a fundamental human right. The regulation requires explicit consent before collecting email addresses, mandates TLS encryption for data transmission, and grants individuals comprehensive rights, including data deletion and portability. European data residency requirements often force organisations to deploy SMTP infrastructure within EU boundaries, creating additional operational complexity for global enterprises.

CCPA takes a consumer protection approach that focuses on transparency and user control rather than consent mechanisms. California residents can demand to know what personal information companies collect, request deletion of their data, and opt out of data sales to third parties. The law’s broad definition of “selling” includes sharing email addresses with marketing partners, requiring careful review of SMTP provider relationships and data processing agreements.

Cross-border email flows create jurisdictional challenges that extend beyond simple data residency. Different countries impose varying restrictions on data transfers, encryption requirements, and local processing mandates. Organisations must evaluate whether their SMTP providers offer region-specific infrastructure and can demonstrate compliance with local sovereignty laws while maintaining global email functionality.

Industry standards like ISO 27001 and NIST frameworks provide structured approaches to SMTP security governance. SOC 2 Type 2 compliance has become table stakes for enterprise SMTP providers, while specialised requirements like HIPAA Business Associate Agreements are essential for healthcare communications. These certifications offer third-party validation of security controls and help organisations demonstrate due diligence to regulators and auditors.

The key to managing this compliance landscape lies in adopting the highest standard approach across all jurisdictions and maintaining comprehensive audit trails for consent, data transfers, and security incidents.

SMTP relay solutions enhance the security, deliverability, and management of outgoing emails, particularly for businesses sending large volumes of transactional or application-generated emails. These services typically offer the following features and benefits:

• Enhanced security: These solutions implement advanced authentication mechanisms, scan emails for malicious content, and apply anti-spam and anti-virus measures to protect both senders and recipients.
• DMARC compliance: Many services facilitate DMARC (Domain-based Message Authentication, Reporting, and Conformance) implementation by enabling DKIM (DomainKeys Identified Mail) signing for all outgoing emails, including those from third-party senders.
• Cloud migration support: As organisations move their email infrastructure to the cloud, these services can replace on-premises relays, supporting a full transition to cloud-based email systems.
• Third-party sender management: These solutions help organisations control and secure emails sent on their behalf by SaaS providers and other third-party applications.
• Data protection: Advanced services may offer encryption and data loss prevention (DLP) capabilities to safeguard sensitive information in transactional emails.
• Scalability: These services are designed to handle large volumes of emails, making them suitable for businesses sending bulk marketing or notification emails.
• Compliance support: Many solutions help organisations meet regulatory requirements by providing features like email archiving and control over personally identifiable information (PII) in outgoing messages.
• Centralised control: These solutions often provide a consolidated view and management interface for all application-generated and third-party emails using the organisation’s domain.

When considering SMTP relay services, organisations should evaluate their specific needs regarding email volume, security requirements, compliance needs, and integration with existing systems and third-party applications.

Regular assessment of your SMTP infrastructure reveals vulnerabilities before attackers do. The process requires systematic evaluation of configurations, security controls, and operational metrics that collectively determine your email security posture.

CISO Assessment Checklist

• Authentication and access control: Verify SMTP AUTH is enabled on all outbound services, review credential policies for service accounts, and confirm multifactor authentication deployment where possible.
• Encryption transport security: Test TLS 1.2+ enforcement across all connections, validate certificate configurations on ports 465/587, and confirm MTA-STS policy implementation for receiving domains.
• Email authentication protocols: Audit SPF records for completeness, verify DKIM signature validity, and review DMARC policy alignment with organisational risk tolerance.
• Open relay testing: Use tools like telnet tests or online services to confirm that servers reject unauthorised relay attempts from external sources.
• Network security: Review firewall rules restricting SMTP ports, validate IP whitelisting configurations, and assess network segmentation for email infrastructure.

Essential Assessment Tools

Online open relay testers like MXToolbox or SMTP Diag provide quick vulnerability scans without requiring internal access. SSL Labs’ mail server test evaluates TLS configurations and cipher strength. Port scanners help identify exposed services, while packet capture tools can reveal plaintext transmissions during troubleshooting.

Key Metrics for Ongoing Monitoring

Track authentication failure rates, connection attempts from unauthorised IPs, and TLS negotiation success rates. Monitor bounce rates and delivery failures that might indicate reputation issues.

Establish baselines for normal email volumes to detect potential abuse or compromise. Document compliance gaps against frameworks like NIST SP 800-45 to prioritise remediation efforts and demonstrate due diligence during audits.

Understanding SMTP’s complexities and security challenges requires more than theoretical knowledge. It demands practical expertise backed by real-world threat intelligence. Proofpoint stands as the recognised global leader in email security, trusted by half a million customers, including 87 of the Fortune 100, to protect their most critical communications infrastructure.

As a leader in both the Gartner 2025 Magic Quadrant for Email Security Platforms and the Forrester Wave for Email, Messaging, and Collaboration Security Solutions, Proofpoint brings unmatched authority to the evolving email threat landscape. The company’s people-centric security approach, combined with emerging threat intelligence and comprehensive email authentication capabilities, addresses the sophisticated attacks that target SMTP infrastructure daily.

For organisations serious about securing their email environment against modern threats—from Business Email Compromise to SMTP smuggling—Proofpoint’s proven track record demonstrates the depth and breadth of expertise that security professionals need in today’s threat environment. Contact Proofpoint to learn more.