Email makes modern communications work. We use email for keeping in touch with friends and family, organizing business activities, and tracking a variety of other needs. But how does email actually work and why do you get so many spam emails? That all comes down to email messaging protocols.
Email messaging protocols
There are three main protocols used by email clients for email messaging. The Simple Mail Transfer Protocol (SMTP) provides the delivery standard for outgoing email transmissions, whereas the Post Office Protocol (POP) and the Internet Message Access Protocol (IMAP) both indicate how a recipient accesses the incoming email they have received.
Email transmission uses the following process for mail transactions:
- The sender initiates a Simple Mail Transfer Protocol connection, which will review the email envelope data for the recipient's email account.
- The SMTP server and the mail client communicate through SMTP commands as the recipient's email address is translated using DNS, then used to identify the IP address and mail exchange (MX) server associated with the domain. The message is forwarded to the recipient's mail server.
- The recipient can access the message using either the Post Office Protocol or the Internet Message Access Protocol.
SMTP provides the network protocol for email routing and delivery that is used by mail servers and mail transfer agents (also known as message transfer agents or MTAs). SMTP messages may also be used with Multipurpose Internet Mail Extensions (MIME) to support non-ASCII text and various attachment content types beyond text. The everyday user won't typically see the process by which SMTP functions even though SMTP commands govern email message transportation.
Everyday users are more likely to see traces of IMAP or POP, depending on which protocol they use to retrieve their messages. IMAP, the Internet Message Access Protocol, enables users to access email on a remote server. With IMAP, the email remains on the email server until the user deletes it. The Post Office Protocol (POP), in contrast, typically retrieves messages to store them on the user's device while deleting them from the server. POP version 3 provides an option to leave mail on the server, though it is often used to ensure that emails are available while offline.
These and other protocols are defined by Request for Comments (RFCs) maintained by the Internet Engineering Task Force.
These standard transmission protocols determine how email is delivered and received but they don't, by themselves, offer robust email security measures. In addition to implementing strong policies, you can cultivate security awareness within your organization through cybersecurity awareness trainings and phishing awareness so that email recipients remain alert to email threats, risks, and scams.
How to improve email security
While there are some configuration policies you can implement to decrease risk, it is nigh impossible to fully eradicate email-related risks.
You may be susceptible to a wide range of attacks sent over email, including the following:
- Phishing attacks and abundant spam that prompts you to visit malicious links. There are many types of phishing attacks to be aware of.
- Malware sent in email attachments.
- Email interception through an adversary-in-the-middle attack.
- Email spoofing that appears legitimate but is actually an impersonation.
- Business email compromise leading to account takeover.
Strengthen your email security posture with a series of policies and configuration settings, like DMARC and SPF, that add authentication layers and improve deliverability. Email providers, like Google Mail (GMail), Microsoft Outlook, and Yahoo, offer email delivery options as part of their email service.
DMARC (Domain-based Message Authentication, Reporting & Conformance) helps to protect your email recipients from spam and malware, while maintaining your domain and brand credibility. DMARC, together with Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM), negotiates email authentication to prevent fraudulent emails. When you create your DMARC record, ensure that you account for common configuration issues in your DMARC record
When an email is sent through the Simple Mail Transfer Protocol (SMTP), there is no requirement for authorized messages, which means that spammers can forge your domain in their phishing attacks. The Sender Policy Framework confirms the mail servers authorized to send email, whereas DKIM provides a domain owner's signature for emails from that domain. Like DMARC, there are some common issues with SPF configuration to consider.
Follow our guide on How to Create an SPF Record
In addition to these outgoing authentication policies, you can implement restrictions for incoming messages to prevent phishing emails and other spam attacks. A dedicated spam filter can capture a percentage of what is likely junk mail from spammers.
Because spam email may include risky attachments, set up attachment restrictions to prevent questionable file types or sizes. There are file transfer methods other than email attachments for sending business-critical documents and files.
Email-based encryption is another option to protect email, though it typically requires trusted certificates across both the sender and recipient. Still, secure email sent with encryption can help to protect sensitive data in transit and provide support for data loss prevention.
Even if you do not implement encryption for all business emails, consider requiring multi-factor authentication for any email access. If someone does become a victim of a phishing campaign, MFA can help to prevent business email compromise if the attacker cannot provide that additional authentication factor.
Follow our Email Security Checklist
Whichever policies you implement, remember to validate them regularly to ensure proper functionality. With continuous monitoring, you can remain informed in real time so that you don't miss a critical issue between validation checks.
UpGuard helps you identify messaging protocol port exposures
Alongside other open ports, configuration risks, and software vulnerabilities, UpGuard BreachSight scans your external attack surface to assess your use of email protocol ports. BreachSight will notify your organization about TCP/IP ports used for email messaging protocols, so ensure that the following ports are closed unless required for business operations:
- 'Dovecot Pigeonhole' port open
- 'IMAP' port open
- 'POP3' port open
- 'SMTP' port open
Dovecot offers an email platform with a secure IMAP server for email retrieval. The Pigeonhole package enables Dovecot users to supply Sieve scripts that govern message delivery. By default, Dovecot Pigeonhole uses port [.rt-script]143[.rt-script], which is the standard (and insecure) port for IMAP. If your organization uses Dovecot, ensure that you close the insecure port in favor of the IMAP over SSL port [.rt-script]993[.rt-script].
The 'IMAP' port open finding indicates that your organization uses an unsecured method to retrieve email from the mail server. IMAP provides unencrypted data transmission by default over port [.rt-script]143[.rt-script]. Because this data is transmitted in plain text, it can be a valuable target for attackers. Instead, use the encrypted version of IMAP. IMAP over SSL/TLS (IMAPS) uses port [.rt-script]993[.rt-script].
Like IMAP, POP is used to retrieve email from a server. The 'POP3' port open finding identifies that your organization has an exposed port [.rt-script]110[.rt-script] for the Post Office Protocol Version 3 (POP3). Like IMAP, POP communicates in plain text. If you prefer POP to IMAP, consider implementing POP3S, which runs POP3 over SSL with port [.rt-script]995[.rt-script].
If you receive the 'SMTP' port open finding, you will be notified which exposed port is running the SMTP service. Port [.rt-script]25[.rt-script] is the default port used for SMTP, which does not provide encryption or require authentication. Without those security features, an SMTP server is a target for data exfiltration attacks. Configuring your SMTP server to require authentication with encryption can protect your domain from use as a spam server that could lead your domain being added to a denylist for email. Instead, consider using port [.rt-script]587[.rt-script] for encrypted transmissions using SMTP Secure (SMTPS). Use of port [.rt-script]465[.rt-script] for SMTP is outdated. Ensure your SMTP port is protected.
Current UpGuard users can access their Risk Profile in BreachSight to assess whether any of these email protocol findings and other exposed endpoints impact your organization. You can also review other potential exposures, including database ports, file transfer ports, exposed server headers, and Diffie-Hellman encryption issues.
If you're not a current UpGuard user and you want to review your public-facing assets for these findings and more, sign up for a trial to experience automation features for security.
