Email protocols are standardized rules that govern how emails are sent, retrieved, and managed across the internet. The three primary protocols are SMTP (used for sending), IMAP (used for modern, synced retrieval), and POP3 (older, device-specific retrieval).
Adding TLS to SMTP, POP3, and IMAP, gets an appended S for Secure and becomes SMTPS, POP3S, and IMAPS, respectively.

SMTP#

The Simple Mail Transfer Protocol (SMTP) is the foundational protocol used to send emails across the internet.

• It defines how a mail client talks with a mail server and how a mail server talks with another.
  SMTP is strictly a push protocol—it is only used to send or relay messages. It cannot be used to pull messages down from a server to your device. For retrieving mail, two other protocols are used:
• IMAP (Internet Message Access Protocol): Keeps emails on the server and syncs them across multiple devices (the modern standard).
• POP3 (Post Office Protocol 3): Downloads emails to a single device and typically deletes them from the server.

[Your Email Client] 
       │ 
       │ (SMTP Push)
       ▼
[Your Email Server (Outgoing MTA)]
       │
       │ (SMTP Relay)
       ▼
[Recipient's Email Server (Incoming MDA)]
       │
       │ (IMAP/POP3 Pull)
       ▼
[Recipient's Email Client]

Standard SMTP Ports#

• TCP port 25: The default port used in SMTP for non-encrypted communications.
• TCP port 465: The port registered by the Internet Assigned Numbers Authority (IANA) for SMTP over SSL (SMTPS). SMTPS has been deprecated in favor of STARTTLS.
• TCP port 587: The Secure SMTP (SSMTP) protocol for encrypted communications, as defined in RFC 2487, using STARTTLS. Mail user agents (MUAs) use TCP port 587 for email submission. STARTTLS can also be used over TCP port 25 in some implementations.
• TCP port 110: The default port used by the POP3 protocol in non-encrypted communications.
• TCP port 995: The default port used by the POP3 protocol in encrypted communications.
• TCP port 143: The default port used by the IMAP protocol in non-encrypted communications.
• TCP port 993: The default port used by the IMAP protocol in encrypted (SSL/TLS) communications.

Useful SMTP Commands#

Several SMTP commands can be useful for performing a security evaluation of an email server. The following are a few examples:

• HELO: Used to initiate an SMTP conversation with an email server. The command is followed by an IP address or a domain name (for example, HELO 10.1.2.14 ).
• EHLO: Used to initiate a conversation with an Extended SMTP (ESMTP) server. This command is used in the same way as the HELO command.
• STARTTLS: Used to start a Transport Layer Security (TLS) connection to an email server.
• RCPT: Used to denote the email address of the recipient.
• DATA: Used to initiate the transfer of the contents of an email message.
• RSET: Used to reset (cancel) an email transaction.
• MAIL: Used to denote the email address of the sender.
• QUIT: Used to close a connection.
• HELP: Used to display a help menu (if available).
• AUTH: Used to authenticate a client to the server.
• VRFY: Used to verify whether a user’s email mailbox exists.
• EXPN: Used to request, or expand, a mailing list on the remote server.
• . is sent on a line by itself to indicate the end of the email message.

Example#

Example of an email sent via telnet. The SMTP server listens on TCP port 25 by default.

user@Linuxlnet 10.49.137.152 25
Trying 10.49.137.152...
Connected to 10.49.137.152.
Escape character is '^]'.
220 example.com ESMTP Exim 4.95 Ubuntu Thu, 27 Jun 2024 16:18:09 +0000
HELO client.com
250 example.com Hello client.com [10.11.81.126]
MAIL FROM: <user@client.com>
250 OK
RCPT TO: <bob@server.com>
250 Accepted
DATA
354 Enter message, ending with "." on a line by itself
From: user@client.com
To: bob@server.com
Subject: Telnet email

Hello. I am using telnet to send you an email!
.
250 OK id=1sMrpq-0001Ah-UT
QUIT
221 example.com closing connection
Connection closed by foreign host.

POP3#

The Post Office Protocol version 3 (POP3) is an older, straightforward protocol used by email clients to retrieve emails from a remote mail server over a TCP/IP connection.

• Using POP3, a recipient cannot access their emails again from a different device because they are stored locally and then deleted from the email server.

Common POP3 commands#

• USER <username> identifies the user
• PASS <password> provides the user’s password
• STAT requests the number of messages and total size
• LIST lists all messages and their sizes
• RETR <message_number> retrieves the specified message
• DELE <message_number> marks a message for deletion
• QUIT ends the POP3 session applying changes, such as deletions

How POP3 Works#

By default, POP3 operates on a strict download-and-delete model.

1. Your email client (like Thunderbird or Outlook) connects to the mail server.
2. It authenticates using your username and password.
3. It downloads all new messages to your local hard drive.
4. It deletes those messages from the server.
5. It disconnects.

Modern Nuance: While POP3 was built to delete mail instantly from the server, most modern email clients include a configuration setting that says “Leave a copy of messages on the server.” However, this is a local client hack rather than a native protocol feature, and syncing changes back to the server is not supported.

Standard POP3 Ports#

To connect to a POP3 server, networks use two main ports depending on the security layer:

• Port 110 (Unencrypted): The traditional, default port. Commands and passwords are sent in cleartext, making it highly vulnerable to packet sniffing.
• Port 995 (POP3S / Encrypted): The secure, modern standard. It establishes an implicit SSL/TLS connection before any email data or passwords are exchanged.

Example#

Example POP3 session over telnet. Since the POP3 server listens on TCP port 110 by default, the command to connect to the TELNET port is telnet 10.49.137.152 110. The exchange below retrieves the email message sent in the previous task.

user@Linux$ telnet 10.49.137.152 110
Trying 10.49.137.152...
Connected to 10.49.137.152.
Escape character is '^]'.
+OK [XCLIENT] Dovecot (Ubuntu) ready.
AUTH
+OK
PLAIN
.
USER bob
+OK
PASS 
+OK Logged in.
STAT
+OK 3 1264
LIST
+OK 3 messages:
1 407
2 412
3 445
.
RETR 3
+OK 445 octets
Return-path: <user@client.com>
Envelope-to: bob@server.com
Delivery-date: Thu, 27 Jun 2024 16:19:35 +0000
Received: from [10.11.81.126] (helo=client.com)
        by example.com with smtp (Exim 4.95)
        (envelope-from <user@client.com>)
        id 1sMrpq-0001Ah-UT
        for bob@server.com;
        Thu, 27 Jun 2024 16:19:35 +0000
From: user@client.com
To: bob@server.com
Subject: Telnet email

Hello. I am using telnet to send you an email!
.
QUIT
+OK Logging out.
Connection closed by foreign host.

IMAP#

The Internet Message Access Protocol (IMAP) is the modern standard protocol used by email clients to retrieve and manage emails stored on a remote mail server.

• Unlike POP3, which downloads and removes mail, IMAP acts as a real-time mirror. Your emails live permanently on the provider’s server, and your devices (phone, laptop, web browser) simply cache copies of them.
• IMAP allows synchronizing read, moved, and deleted messages. 
• IMAP is quite convenient when you check your email via multiple clients.

How IMAP Operates#

IMAP keeps a persistent TCP connection open between the client and the server. It utilizes a feature called IMAP IDLE (defined in RFC 2177) which allows the server to proactively push notifications to your client the exact second a new email lands, without the client needing to constantly poll (poll = repeatedly ask “any new mail yet?”) the server.

Standard IMAP Ports#

• Port 143 (Unencrypted / STARTTLS): The traditional port. It starts cleartext but can be upgraded to an encrypted session if the client issues the STARTTLS command.
• Port 993 (IMAPS / Implicit TLS): The secure standard. It establishes an encrypted SSL/TLS session immediately upon connection before any authentication details are exchanged.

Technical Architecture: The State Machine#

An IMAP connection transitions through four primary states during a session:

1. Not Authenticated State: The connection is open, but the user hasn’t logged in yet. The client must provide credentials.
2. Authenticated State: The user is logged in. They can browse folder structures, create new folders, or delete mailboxes, but they haven’t selected a specific folder to read yet.
3. Selected State: The user opens a specific folder (like INBOX). Individual messages can now be read, searched, or flags can be updated.
4. Logout State: The session is closing, resources are freed, and the connection drops.

IMAP System Flags#

When managing messages in the Selected State, IMAP tracks the state of individual emails using binary status flags:

• \Seen: Message has been read.
• \Answered: Message has been replied to.
• \Flagged: Message is marked as important/starred.
• \Deleted: Message is marked for deletion. It isn’t actually removed from the disk until the client sends an EXPUNGE command or closes the session.
• \Draft: Message is still being composed.

Example#

the IMAP server listens on TCP port 143 by default, we will use telnet to connect to 10.49.137.152’s port 143 and fetch the message we sent in an earlier task.

user@Linux$ telnet 10.10.41.192 143
Trying 10.10.41.192...
Connected to 10.10.41.192.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ STARTTLS AUTH=PLAIN] Dovecot (Ubuntu) ready.
A LOGIN bob
A OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE SNIPPET=FUZZY PREVIEW=FUZZY PREVIEW STATUS=SIZE SAVEDATE LITERAL+ NOTIFY SPECIAL-USE] Logged in
B SELECT inbox
* FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
* OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft \*)] Flags permitted.
* 4 EXISTS
* 0 RECENT
* OK [UNSEEN 2] First unseen.
* OK [UIDVALIDITY 1719824692] UIDs valid
* OK [UIDNEXT 5] Predicted next UID
B OK [READ-WRITE] Select completed (0.001 + 0.000 secs).
C FETCH 3 body[]
* 3 FETCH (BODY[] {445}
Return-path: <user@client.com>
Envelope-to: bob@server.com
Delivery-date: Thu, 27 Jun 2024 16:19:35 +0000
Received: from [10.11.81.126] (helo=client.com)
        by example.com with smtp (Exim 4.95)
        (envelope-from <user@client.com>)
        id 1sMrpq-0001Ah-UT
        for bob@server.com;
        Thu, 27 Jun 2024 16:19:35 +0000
From: user@client.com
To: bob@server.com
Subject: Telnet email

Hello. I am using telnet to send you an email!
)
C OK Fetch completed (0.001 + 0.000 secs).
D LOGOUT
* BYE Logging out
D OK Logout completed (0.001 + 0.000 secs).
Connection closed by foreign host.

How They Interact: The Email Lifecycle#

If you send an email from a laptop to a friend who reads it on their phone, all three protocols can be triggered in a specific sequence:

[ Your Device ] ──( SMTP Port 587 )──> [ Your Outgoing Mail Server ]
                                                   │
                                            ( SMTP Port 25 )
                                                   ▼
[ Recipient Device ] <──( IMAP Port 993 )── [ Their Incoming Mail Server ]

1. Submission: Your email client uses SMTP (usually over port 587 with STARTTLS) to upload the draft to your provider’s Mail Transfer Agent (MTA).
2. Relay: Your provider’s server looks up the MX (Mail Exchanger) records in the recipient’s DNS to find their mail server. It routes the message across the internet using SMTP (over port 25) to the destination server.
3. Delivery & Storage: The receiving server’s Mail Delivery Agent (MDA) accepts the message and drops it into the recipient’s mailbox storage.
4. Retrieval: The recipient opens their phone. Their mail client hits the server using IMAP (port 993) to cache and view the message while leaving the master copy on the server, or POP3 (port 995) to download it permanently to local storage.

The Modern Ecosystem#

While SMTP, IMAP, and POP3 handle the actual transit and retrieval of text, modern email rely heavily on companion protocols to ensure security, formatting, and web integration:

1. Security & Authentication (Anti-Spoofing Layer)#

Because vanilla SMTP allows anyone to forge the MAIL FROM: header, modern infrastructure relies on a triad of DNS-based authentication:

• SPF (Sender Policy Framework): A DNS record where a domain specifies exactly which IP addresses are authorized to send emails on its behalf.
• DKIM (DomainKeys Identified Mail): Uses public-key cryptography to append a digital signature to email headers, verifying that the message body wasn’t altered in transit.
• DMARC (Domain-based Message Authentication, Reporting, and Conformance): Specifies how a receiver should handle an email that fails SPF or DKIM checks (e.g., p=reject or p=quarantine).

2. Message Formatting#

• MIME (Multipurpose Internet Mail Extensions): The standard that extends the original 7-bit ASCII text restrictions of basic SMTP. MIME allows emails to carry HTML formatting, international character sets (UTF-8), and binary attachments (images, PDFs).

3. Proprietary & Web Alternatives#

• MAPI/RPC & EWS (Exchange Web Services): Microsoft’s proprietary protocols used by Outlook and Exchange servers to sync not just mail, but calendars, tasks, and corporate contacts seamlessly.
• HTTP / Web APIs: Modern clients (like the Gmail app or web browser interfaces) often bypass IMAP/SMTP entirely. Instead, they use proprietary REST APIs over HTTPS to fetch and send mail, which is faster and better optimized for mobile battery life and unstable network connections.