What technology is used for sending email messages?

Lila Kee is the General Manager for GlobalSign’s North and South American operations, as well as the company's Chief Product Officer.

getty

With cyberattacks being a daily occurrence now, one can easily forget that the security of certain internet technology standards has improved significantly over the last decades.

Take, for example, the hypertext transfer protocol (HTTP), the standard of how websites are loaded since the late 1990s. The protocol itself has been continuously improved upon by the Internet Engineering Taskforce (IETF) from HTTP/1 to HTTP/2 and up to the recently emerging HTTP/3. As an added layer of security, HTTPS (the S is for "secure") has emerged in the last five years and has been adopted as the standard.

This accelerated in July 2018 when Google began marking all websites that do not have an SSL certificate as "not secure" in Chrome version 68. While only about 40% of the top sites on the web accessed via Google Chrome were loaded over HTTPS in 2015, that number rose to over 75% in 2018 — and now over 90% of the most popular sites are using HTTPS. This means that by now, most of our communication with websites is encrypted, and we can be sure we're connected to the right website. Great news!

The success can mostly be correlated with the efforts of both the IETF and the CA/Browser Forum (CA/B Forum). While the IETF has a wider scope, the CA/B Forum tries to focus on establishing and improving standards around the use of digital certificates. SSL/TLS certificates (the most well-known types) enable secure connections over HTTPS, so the effort of making them easier to use, easier to obtain and more rigorously controlled in issuance alongside general improvements to the protocol is what helped push the adoption of SSL/TLS forward. The point to be made here is that all of this success is thanks to the efforts of organizations that get their resources from different companies in the industry. It's not uncommon for the brightest minds of some competitors to sit together and try to focus on improving technology so that everyone benefits, as in the case of HTTPS from security on the web.

However, back to the opening paragraph: Something that has barely changed since its inception — in 1982 — is the Simple Mail Transfer Protocol (SMTP—and no, the S here is unfortunately not for "secure"). I like to compare sending an email to sending a postcard. Anyone along the way can read or even change it: the folks in the post office, the mailman or just anyone who gets their hands on it in some way. Since email usually also passes multiple different servers on its way from the sender to the recipient, it really works the same way. Anyone with access to any of those servers can read any mail that passes along. You might now be thinking to yourself: "Wow, is it really that bad?" Yes, it is!

Luckily, some very smart folks have also found a workaround for email. Pretty Good Privacy (PGP) and Secure/Multipurpose Internet Mail Extensions (S/MIME) are protocols for sending encrypted and signed emails. The most accurate real-life comparison would be a wax-sealed letter that is also written in a secret language that only the sender and recipient understand. It can't be altered without it being obvious to the recipient — and even if it's intercepted, no one can read it. Why are those protocols not being used more widely?

Here's where we get back to a need for standards. PGP often requires a great deal of technological know-how to make it work since it has little to no implementation in consumer-grade software. That is why you will mostly see it used by some very privacy-minded (but also tech-savvy) folks such as engineers, journalists and activists. S/MIME sees more implementation and is a little easier to handle, but unlike PGP, the issuance is more controlled and focused on business use cases. HTTPS has shown that once folks collaborate and work on establishing standards and certificates become easier to obtain, there's real potential for the adoption of new technologies and improvements to security.

I'm very pleased there's now a working group in the CA/B Forum chartered specifically to determine so-called "baseline requirements" for the issuance of S/MIME certificates. Representatives from various certificate authorities (including GlobalSign) are among the many contributors that are trying to agree on how the issuance and validation of S/MIME certificates should work. Between these efforts, certificates becoming more readily available and email clients increasingly implementing features to support S/MIME, there's real hope that email will become a more secure method of communication — because who in their right mind would send their invoices on postcards?

Obviously, these things don't happen overnight. One drawback of these joint efforts is that it takes significant time to produce results. Furthermore, there are unresolved challenges with how to make S/MIME available to not only corporate users but each and every one of us. Also, getting to "encryption by default," as we did with HTTPS, still seems like shooting for the moon.

All in all, however, there's good reason for optimism that email will become more secure in the years to come because as in nature, so is the fate of technologies — adapt or die. In the present decade, technology mostly needs to adapt to the security requirements of our connected world. Email has allowed us to stay in touch with remote friends and relatives, easily handle business transactions and has generally brought our world together — so let's hope it makes the cut! 

Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?

For most users, how an email message flows from the sender to a recipient’s inbox is something that happens behind the scenes. When an individual or an organization sends an email, the message travels from its point of origination, such as an email client where it was composed, across the Internet to its destination. Along the way, it passes through multiple servers that help ensure it arrives at the right place. That email message flow uses a systematic process based on a number of long-established technical standards.

How does an email message flow?

Email has been around since the 1960s, when the creators of nascent computer networks began devising ways to send messages to each other. In those early days, users were limited to communicating only with others on the same shared mainframe system. However, the adoption of standard protocols and the interconnection of systems into the shared network we now know as the Internet allowed different mail systems to “talk” to each other.

It’s these standards that allow us to send email messages to virtually anyone. When someone sends an email message, it flows through a series of steps to reach its destination.

• When an individual writes a message, it’s usually done in an email client like Outlook or Apple Mail—or in a web-based service like Gmail.
• However, when the message is a transactional email like a shipping notice or a password reset, the message is created automatically by those systems, usually using an email API. (Marketing messages are generated by automated systems as well, although usually in large batches, rather than one at a time like transactional messages.)
• In both cases, whether the message is created by an email client or by an automated system, it is specially formatted to be transmitted over the Internet using a standard called “Simple Mail Transfer Protocol” (SMTP).
• The sender’s mail server (technically called a “Mail Transfer Agent,” or MTA) looks up the “@domain.com” portion of the recipient’s email address in a Domain Name System (DNS) server to determine which destination mail server (referred to as a “Mail Exchanger,” or MX) it should contact to deliver the message.
• The sending and receiving servers communicate using the SMTP protocol. The receiving server accepts the message so that it can be delivered to the recipient.
• The recipient’s email client retrieves the message using standards like the Post Office Protocol (POP) or Internet Message Access Protocol (IMAP) to download the message so it can be read.

How do email clients download a message?

Web-based email services like Gmail or Hotmail/Outlook.com use their own internal protocols to manage email. But when recipients use a stand-alone email client on a phone or desktop computer, that software uses standard protocols to download messages from mail servers.

When the recipient uses POP, the server delivers all new emails to them and only keeps copies of them if an option in the email client is checked, if applicable. If the server doesn’t have copies of the emails and the recipient suffers a hardware loss or failure, those messages are gone forever, unless the senders have copies of them.

When the recipient uses IMAP, the server syncs the contents of the mailbox, including its Sent Items and other folders, to each device that connects with it. The messages remain on the server, and when the status of one changes (for example, it’s read or deleted), that change propagates across all devices when they connect again.

The ability to retain and sync messages on multiple devices is why most email services today use IMAP instead of POP.

Learn More about Email Message Flow, Sending, and Delivery

Read more about email message flow

Email involves many different steps and systems. You can learn more about the inner workings of email delivery with these resources:

• Email: This Wikipedia article delves into the history of email as well as its many technical details. It links out to several supporting articles that flesh out the main subject.
• Email API: Learn more about how e-commerce and other systems can generate transactional email very efficiently.
• Cloud Email Delivery: Learn more about how systems the SparkPost email delivery service work to make large-scale email transmission and delivery practical.

Get help with email transmission and delivery with SparkPost

The SparkPost Support Center is a good place to start learning about SparkPost in general. To learn more about how to improve email message flow and practices for good email deliverability, these resources are a good place to begin:

Develop your email industry expertise and master best practices with SparkPost’s email resources.

This email boot camp will help you to increase the ROI of your email operations with 15 proven tactics for boosting email deliverability.

Learn how third-party data shows the deliverability difference between SparkPost and also-ran cloud service providers yields hard, bottom-line benefits.

This practical course is a great way to get started understanding email deliverability and how to measure email performance.

Try SparkPost and see how we deliver far more value than the competition.