The Simple Mail Transfer Protocol (SMTP) has been handling some of our most trusted communications since 1982. And yet, it’s own RFC admits “SMTP mail is inherently insecure”. What gives?
We’ll be taking a look at key technologies along the timeline to secure SMTP, from the first security-free(!) SMTP standard to STARTTLS, SPF, DMARC, and everywhere in between. We’ll cover a simple explanation for each standard and the basics of why it matters, presented in order of historical appearance to highlight the bigger story around SMTP and its ongoing struggle to stay modern with security. Along the way we’ll investigate where our train conductors in the saga to secure SMTP have failed, how far off the rails we are with “best practice”, and what we can do for now to bring email a little closer to on-track.