Technical
SMTP Network Protocol: A Deep Technical Dive
Alex Chen
January 1, 2026
An in-depth exploration of SMTP at the network level, including TCP connections, ports, TLS, and packet analysis.
Introduction
SMTP (Simple Mail Transfer Protocol) operates at the application layer of the TCP/IP model. This guide explores SMTP from a network engineering perspective, covering connection handling, port configurations, and security mechanisms.
SMTP in the TCP/IP Stack
┌─────────────────────────────────────────────────────────────┐
│ APPLICATION LAYER │
│ ┌─────────────────────────────────────────────────────┐ │
│ │ SMTP │ │
│ │ (RFC 5321, RFC 5322) │ │
│ └─────────────────────────────────────────────────────┘ │
├─────────────────────────────────────────────────────────────┤
│ TRANSPORT LAYER │
│ ┌─────────────────────────────────────────────────────┐ │
│ │ TCP │ │
│ │ (Connection-oriented, reliable) │ │
│ │ Port 25, 587, or 465 │ │
│ └─────────────────────────────────────────────────────┘ │
├─────────────────────────────────────────────────────────────┤
│ NETWORK LAYER │
│ ┌─────────────────────────────────────────────────────┐ │
│ │ IP (IPv4/IPv6) │ │
│ │ Routing between networks │ │
│ └─────────────────────────────────────────────────────┘ │
├─────────────────────────────────────────────────────────────┤
│ DATA LINK LAYER │
│ ┌─────────────────────────────────────────────────────┐ │
│ │ Ethernet, WiFi, etc. │ │
│ └─────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────┘SMTP Ports and Their Uses
| Port | Protocol | Use Case | Security |
|---|---|---|---|
| 25 | SMTP | Server-to-server relay | None/STARTTLS |
| 465 | SMTPS | Legacy secure submission | Implicit TLS |
| 587 | Submission | Client-to-server | STARTTLS required |
| 2525 | Alternative | When 587 is blocked | STARTTLS |
Port Selection Flow
┌─────────────────────────────────────────────────────────────┐
│ CLIENT CONNECTION DECISION │
└─────────────────────────────┬───────────────────────────────┘
│
▼
┌──────────────────┐
│ Sending to own │
│ mail server? │
└────────┬─────────┘
│
┌──────────────┴──────────────┐
│ │
▼ ▼
┌──────────┐ ┌──────────┐
│ YES │ │ NO │
└────┬─────┘ └────┬─────┘
│ │
▼ ▼
┌─────────────────┐ ┌─────────────────┐
│ Port 587 │ │ Port 25 │
│ (Submission) │ │ (Relay) │
│ + Authentication│ │ Server-to-server│
└─────────────────┘ └─────────────────┘TCP Connection Establishment
Three-Way Handshake for SMTP
┌──────────────┐ ┌──────────────┐
│ CLIENT │ │ SERVER │
│ (Sender) │ │ (Receiver) │
└──────┬───────┘ └──────┬───────┘
│ │
│ SYN (seq=100) │
│ ─────────────────────────────────────> │
│ "I want to connect to port 25" │
│ │
│ SYN-ACK (seq=300, ack=101) │
│ <───────────────────────────────────── │
│ "OK, I acknowledge your request" │
│ │
│ ACK (seq=101, ack=301) │
│ ─────────────────────────────────────> │
│ "Great, connection established!" │
│ │
│ ═══════════════════════════════════════ │
│ TCP CONNECTION READY │
│ ═══════════════════════════════════════ │
│ │
│ 220 mail.server.com ESMTP ready │
│ <───────────────────────────────────── │
│ (SMTP session begins) │
│ │ESMTP Extensions
Extended SMTP (ESMTP) adds capabilities beyond basic SMTP:
Client: EHLO mail.client.com
Server: 250-mail.server.com Hello
250-SIZE 35882577 ← Max message size
250-8BITMIME ← 8-bit MIME support
250-STARTTLS ← TLS upgrade available
250-ENHANCEDSTATUSCODES ← Detailed error codes
250-PIPELINING ← Command batching
250-CHUNKING ← Large message chunking
250-SMTPUTF8 ← Unicode support
250 AUTH PLAIN LOGIN ← Authentication methodsTLS Encryption Modes
STARTTLS (Opportunistic TLS)
┌──────────────┐ ┌──────────────┐
│ CLIENT │ │ SERVER │
└──────┬───────┘ └──────┬───────┘
│ │
│ TCP Connect to port 587 │
│ ─────────────────────────────────────> │
│ │
│ 220 Ready (plaintext) │
│ <───────────────────────────────────── │
│ │
│ EHLO client.com │
│ ─────────────────────────────────────> │
│ │
│ 250 ... STARTTLS │
│ <───────────────────────────────────── │
│ │
│ STARTTLS │
│ ─────────────────────────────────────> │
│ │
│ 220 Go ahead │
│ <───────────────────────────────────── │
│ │
│ ╔═══════════════════════════════════╗ │
│ ║ TLS HANDSHAKE BEGINS ║ │
│ ║ - Certificate exchange ║ │
│ ║ - Cipher negotiation ║ │
│ ║ - Key exchange ║ │
│ ╚═══════════════════════════════════╝ │
│ │
│ EHLO client.com (encrypted) │
│ ════════════════════════════════════> │
│ │Implicit TLS (Port 465)
┌──────────────┐ ┌──────────────┐
│ CLIENT │ │ SERVER │
└──────┬───────┘ └──────┬───────┘
│ │
│ TCP Connect to port 465 │
│ ─────────────────────────────────────> │
│ │
│ ╔═══════════════════════════════════╗ │
│ ║ TLS HANDSHAKE IMMEDIATELY ║ │
│ ║ (No plaintext phase) ║ │
│ ╚═══════════════════════════════════╝ │
│ │
│ 220 Ready (already encrypted) │
│ <════════════════════════════════════ │
│ │SMTP Packet Analysis
Example Wireshark Capture
No. Time Source Dest Protocol Info
───────────────────────────────────────────────────────────
1 0.000 192.168.1.10 mail.srv.com TCP SYN
2 0.023 mail.srv.com 192.168.1.10 TCP SYN-ACK
3 0.024 192.168.1.10 mail.srv.com TCP ACK
4 0.045 mail.srv.com 192.168.1.10 SMTP 220 Ready
5 0.067 192.168.1.10 mail.srv.com SMTP EHLO
6 0.089 mail.srv.com 192.168.1.10 SMTP 250 OK
7 0.112 192.168.1.10 mail.srv.com SMTP STARTTLS
8 0.134 mail.srv.com 192.168.1.10 SMTP 220 Go ahead
9 0.156 192.168.1.10 mail.srv.com TLSv1.3 Client Hello
10 0.178 mail.srv.com 192.168.1.10 TLSv1.3 Server Hello
...Connection Timeouts
| Phase | Typical Timeout | RFC Recommendation |
|---|---|---|
| Initial connection | 30 seconds | 5 minutes |
| EHLO/HELO response | 300 seconds | 5 minutes |
| MAIL FROM response | 300 seconds | 5 minutes |
| RCPT TO response | 300 seconds | 5 minutes |
| DATA initiation | 120 seconds | 2 minutes |
| Data block | 180 seconds | 3 minutes |
| Final . response | 600 seconds | 10 minutes |
DNS and Email Routing
MX Record Resolution
┌─────────────────────────────────────────────────────────────┐
│ SENDING TO: user@example.com │
└─────────────────────────────┬───────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────┐
│ 1. DNS QUERY: MX record for example.com │
│ │
│ dig MX example.com │
│ │
│ ANSWER: │
│ example.com. 3600 IN MX 10 mx1.example.com. │
│ example.com. 3600 IN MX 20 mx2.example.com. │
└─────────────────────────────┬───────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────┐
│ 2. DNS QUERY: A record for mx1.example.com │
│ │
│ dig A mx1.example.com │
│ │
│ ANSWER: │
│ mx1.example.com. 3600 IN A 203.0.113.10 │
└─────────────────────────────┬───────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────┐
│ 3. TCP CONNECTION to 203.0.113.10:25 │
│ │
│ If fails → try mx2.example.com (priority 20) │
└─────────────────────────────────────────────────────────────┘SMTP Pipelining
Pipelining allows sending multiple commands without waiting for responses:
WITHOUT PIPELINING: WITH PIPELINING:
───────────────────── ─────────────────────
C: MAIL FROM:<a@b.com> C: MAIL FROM:<a@b.com>
S: 250 OK RCPT TO:<x@y.com>
C: RCPT TO:<x@y.com> RCPT TO:<z@y.com>
S: 250 OK DATA
C: RCPT TO:<z@y.com> S: 250 OK
S: 250 OK 250 OK
C: DATA 250 OK
S: 354 Go ahead 354 Go ahead
Latency: 4 round trips Latency: 1 round tripDebugging SMTP Connections
Using telnet/openssl
bash
# Plain SMTP (port 25)
telnet mail.example.com 25
# STARTTLS (port 587)
openssl s_client -connect mail.example.com:587 -starttls smtp
# Implicit TLS (port 465)
openssl s_client -connect mail.example.com:465Common Issues
| Symptom | Possible Cause | Diagnosis |
|---|---|---|
| Connection refused | Firewall blocking | telnet host 25 |
| Connection timeout | Network routing | traceroute host |
| Certificate error | TLS misconfiguration | openssl s_client |
| 550 Relay denied | Not authenticated | Check AUTH |
Conclusion
Understanding SMTP at the network level is essential for:
•Troubleshooting: email delivery issues
•Securing: email infrastructure
•Optimizing: mail server performance
•Debugging: complex delivery chains
The protocol's simplicity (text-based commands over TCP) makes it both accessible and reliable, though modern security requirements have added layers of complexity through TLS and authentication mechanisms.