Computer NetworksEmail Architecture

Email Architecture: The Foundation of Electronic Messaging

LevelIntermediate

Duration90 mins

TopicEmail Architecture

4 / 5

Mail Flow

The Journey of an Email Message

When you click "Send" on an email, you initiate a remarkable journey through the global Internet infrastructure. Within seconds—or sometimes milliseconds—your message traverses networks, passes through multiple servers, undergoes security checks, and arrives in your recipient's inbox. This apparent simplicity masks a sophisticated multi-stage process involving numerous protocols, components, and decisions.

Understanding mail flow is essential for anyone operating email infrastructure, troubleshooting delivery issues, or designing systems that integrate with email. Each stage presents opportunities for filtering, logging, security enforcement, and potential failure. Knowing where to look when mail doesn't arrive, understanding why legitimate mail ends up in spam folders, and designing reliable email-based workflows all require mastery of the complete message journey.

This page traces an email's complete path from the moment a user composes it until the recipient reads it, examining every component interaction, protocol exchange, and potential failure point.

What You Will Learn

By completing this page, you will be able to trace any email's journey through the delivery infrastructure, identify where failures occur, understand how spam filtering decisions are made, and optimize delivery for legitimate email. You'll master the complete mail flow from composition to reading.

Mail Flow Overview: The Complete Picture

Email flow follows the store-and-forward model—messages are stored at each hop before being forwarded to the next. This fundamental architecture choice ensures reliability: even if the next server is temporarily unavailable, the message is safely queued for later delivery.

The complete mail flow consists of these major stages:

Seven Stages of Email Delivery

•Composition — User creates message in MUA (email client), enters recipients, writes content, attaches files
•Submission — MUA authenticates and submits message to MSA via SMTP (port 587)
•Routing — MTA queries DNS for recipient domain's MX records to determine delivery path
•Transfer — MTA relays message to recipient domain's MTA via SMTP (port 25)
•Filtering — Receiving MTA performs spam/virus/policy checks before acceptance
•Delivery — MDA places message in recipient's mailbox after any final processing
•Retrieval — Recipient's MUA fetches message via IMAP/POP3 for reading

Converting Mermaid diagram...

Timing Characteristics:

Mail flow timing varies dramatically based on conditions:

Scenario	Typical Timing	Determining Factors
Local delivery (same server)	< 1 second	No network transit, no MX lookup
Standard internet delivery	2-30 seconds	DNS lookup, connection setup, filtering
Greylist delayed	5-15 minutes	Initial rejection, retry on schedule
Deferred delivery	Minutes to hours	Temporary rejection, retry backoff
Queued delivery	Up to 5 days	Recipient server unreachable

Stage 1: Message Composition

The mail flow begins when a user composes a message in their Mail User Agent (MUA). While seemingly straightforward, the composition stage involves significant processing as the MUA constructs a properly formatted message.

User Actions During Composition:

Entering recipient addresses (To, Cc, Bcc)
Writing subject line
Composing message body (plain text and/or HTML)
Attaching files
Setting priority, read receipts, or other options
Saving drafts during composition

MUA Responsibilities During Composition:

MUA Composition Processing

•Address Validation — Syntax checking of email addresses (RFC 5321 format). Local address book lookup. Auto-completion suggestions. Warning for unusual domains.
•Message Structure Creation — Generating MIME structure for body and attachments. Selecting appropriate Content-Type for each part. Creating multipart boundaries.
•Character Encoding — Converting text to UTF-8 or appropriate encoding. Encoding non-ASCII header content per RFC 2047. Handling international domain names (IDN).
•Attachment Processing — Reading file contents. Base64 encoding binary data. Determining MIME type from file extension or content. Adding Content-Disposition headers.
•Header Generation — Creating From, To, Cc, Subject headers. Generating unique Message-ID. Adding Date header with current timestamp. User-Agent identification header.
•Draft Management — Periodic auto-save to server (IMAP Drafts folder) or local storage. Maintaining draft state for resume capability.

Message Constructed by MUA
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
From: Alice Smith <alice@sender.com>
To: Bob Jones <bob@recipient.com>
Cc: Carol White <carol@recipient.com>
Bcc: Dave Black <dave@hidden.com>
Subject: Quarterly Report
Date: Mon, 17 Jan 2026 12:30:00 +0530
Message-ID: <550e8400-e29b-41d4-a716-446655440000@sender.com>
User-Agent: Mozilla Thunderbird 115.0
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_Part_001"
 
------=_Part_001
Content-Type: multipart/alternative; boundary="----=_Part_002"
 
------=_Part_002
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
 
Hi Bob,
 
Please find the quarterly report attached.
 
Best regards,
Alice
 
------=_Part_002
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 7bit
 
<!DOCTYPE html>
<html><body>
<p>Hi Bob,</p>
<p>Please find the quarterly report attached.</p>
<p>Best regards,<br>Alice</p>
</body></html>
 
------=_Part_002--
 
------=_Part_001
Content-Type: application/pdf; name="Q4-Report.pdf"
Content-Disposition: attachment; filename="Q4-Report.pdf"
Content-Transfer-Encoding: base64
 
JVBERi0xLjQKJeLjz9MKMSAwIG9iago8PAovVHlwZSAvQ2F0YWxvZwov
... (base64 encoded PDF content) ...
 
------=_Part_001--

Bcc Handling

The MUA constructs the message with Bcc recipients in the header, but the MSA/MTA is responsible for removing the Bcc header before transmission to visible recipients. Mail is delivered to Bcc addresses, but they are stripped from the message those recipients receive.

Stage 2: Message Submission (MUA → MSA)

When the user clicks "Send," the MUA initiates an SMTP connection to the configured Mail Submission Agent (MSA) on port 587. This submission stage authenticates the sender and validates the message before it enters the mail transfer system.

Submission Flow Steps:

SMTP Submission Sequence

•TCP Connection — MUA establishes TCP connection to MSA on port 587 (or 465 for implicit TLS)
•Server Greeting — MSA sends 220 banner identifying itself and confirming readiness
•ESMTP Negotiation — MUA sends EHLO, server responds with supported extensions
•TLS Upgrade — MUA issues STARTTLS, server agrees, TLS handshake encrypts connection
•Re-Negotiation — After TLS, MUA sends EHLO again to discover post-TLS capabilities
•Authentication — MUA authenticates using SASL (PLAIN, LOGIN, or OAuth 2.0 bearer token)
•Envelope Sender — MAIL FROM specifies the envelope sender for bounces
•Envelope Recipients — RCPT TO specifies each recipient address
•Data Transfer — DATA command followed by message headers and body
•Acceptance — Server responds 250 OK, message queued for delivery
•Disconnection — QUIT command closes session gracefully

MSA Processing:

The MSA performs critical validation before accepting the message:

Authentication Verification:

Verify submitted credentials against user database (LDAP, database, etc.)
Check that authenticated user is authorized to send as specified sender
Rate-limit per-user to prevent abuse

Message Validation:

Syntax check of envelope addresses
Message format compliance (RFC 5322)
Size limit enforcement
Attachment type restrictions (organizational policy)

Header Processing:

Add Received header documenting receipt
Add/verify Message-ID if missing
Add Date header if missing
Strip Bcc header from message content
May add X-Originating-IP for tracking

Signing:

DKIM signature computation and addition (if configured)
Organization digital signature (if required)

Complete Submission Session Trace
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
# Submission session from alice@sender.com to MSA
 
>> [TCP Connect to mail.sender.com:587]
 
<< 220 mail.sender.com ESMTP Ready
 
>> EHLO [192.168.1.100]
 
<< 250-mail.sender.com Hello
<< 250-PIPELINING
<< 250-SIZE 52428800
<< 250-STARTTLS
<< 250-AUTH PLAIN LOGIN XOAUTH2
<< 250-ENHANCEDSTATUSCODES
<< 250 DSN
 
>> STARTTLS
 
<< 220 2.0.0 Ready to start TLS
 
>> [TLS 1.3 Handshake - Certificate: *.sender.com]
 
>> EHLO [192.168.1.100]
 
<< 250-mail.sender.com Hello
<< 250-AUTH PLAIN LOGIN XOAUTH2
<< 250 OK
 
>> AUTH PLAIN AGFsaWNlQHNlbmRlci5jb20AcGFzc3dvcmQxMjM=
 
<< 235 2.7.0 Authentication successful
 
>> MAIL FROM:<alice@sender.com> SIZE=15234
 
<< 250 2.1.0 OK
 
>> RCPT TO:<bob@recipient.com>
 
<< 250 2.1.5 OK
 
>> RCPT TO:<carol@recipient.com>
 
<< 250 2.1.5 OK
 
>> RCPT TO:<dave@hidden.com>
 
<< 250 2.1.5 OK
 
>> DATA
 
<< 354 Start mail input; end with <CRLF>.<CRLF>
 
>> From: Alice Smith <alice@sender.com>
>> To: Bob Jones <bob@recipient.com>
>> Cc: Carol White <carol@recipient.com>
>> Subject: Quarterly Report
>> Date: Mon, 17 Jan 2026 12:30:00 +0530
>> Message-ID: <550e8400-e29b-41d4-a716-446655440000@sender.com>
>> MIME-Version: 1.0
>> Content-Type: text/plain; charset=UTF-8
>>
>> Hi Bob,
>>
>> Please find the quarterly report attached.
>>
>> Best regards,
>> Alice
>> .
 
<< 250 2.0.0 OK: queued as 4F7B892C1A
 
>> QUIT
 
<< 221 2.0.0 Bye

Stage 3: Message Routing (DNS MX Lookup)

After the MSA accepts the message, it enters the Mail Transfer Agent's queue. The MTA must now determine where to send the message—a process dependent on DNS MX (Mail Exchanger) record lookups.

Routing Algorithm:

For each recipient domain, the sending MTA follows this logic:

MX Resolution Steps

•Query MX Records — DNS query for MX records of recipient domain (e.g., recipient.com)
•Sort by Priority — Order MX records by preference value (lower = higher priority)
•Resolve A/AAAA Records — Get IP address(es) for highest priority MX hostname
•Attempt Connection — Try connecting to IP addresses in order
•Fallback on Failure — If all IPs for highest priority fail, try next priority MX
•No MX Fallback — If no MX records exist, attempt delivery to A/AAAA of domain itself
•Queue on Total Failure — If all attempts fail, queue message for retry

DNS MX Lookup Process
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
# MTA routing query for bob@recipient.com
 
# Step 1: Query MX records
$ dig MX recipient.com
 
;; ANSWER SECTION:
recipient.com.     3600  IN  MX  10 mx1.recipient.com.
recipient.com.     3600  IN  MX  10 mx2.recipient.com.
recipient.com.     3600  IN  MX  20 mx-backup.recipient.com.
 
# MTA interpretation:
# Priority 10: mx1.recipient.com (primary)
# Priority 10: mx2.recipient.com (primary, load balanced)
# Priority 20: mx-backup.recipient.com (backup)
 
# Step 2: Resolve primary MX
$ dig A mx1.recipient.com
 
;; ANSWER SECTION:
mx1.recipient.com.   300  IN  A   203.0.113.10
 
$ dig A mx2.recipient.com
 
;; ANSWER SECTION:
mx2.recipient.com.   300  IN  A   203.0.113.11
 
# Step 3: MTA attempts connection in order:
# 1. Try mx1.recipient.com:25 (203.0.113.10)
#    If successful -> deliver
#    If connection refused/timeout -> try mx2
# 2. Try mx2.recipient.com:25 (203.0.113.11)
#    If successful -> deliver  
#    If connection refused/timeout -> try backup
# 3. Try mx-backup.recipient.com:25
#    If successful -> deliver
#    If all fail -> queue for retry
 
# Note: Same-priority MX records (10 and 10) are typically
# load-balanced by random selection or round-robin

Routing Edge Cases:

Multiple Recipient Domains: When a message has recipients in multiple domains, the MTA must route separately to each domain. The message is duplicated and delivered to each domain's MX independently.

Sender Domain Considerations:

MTA checks sender domain has valid MX or A record (rejectability)
Some receivers verify sender can receive bounces

MX Record Edge Cases:

Scenario	Behavior
No MX records exist	Fall back to A/AAAA record of domain
MX points to CNAME	Technically invalid (but often works)
MX priority 0	Valid but unusual (null MX means no mail accepted)
All MX unreachable	Queue and retry per RFC 5321 guidelines
MX points to IP	Invalid (must be hostname)

Null MX (RFC 7505):

Domains that never receive email can advertise this fact:

example.com. IN MX 0 .

The single dot (.) as the MX target with priority 0 explicitly indicates "this domain does not accept mail." Compliant senders immediately generate bounces rather than attempting delivery.

DNS TTL Considerations

MX records are cached according to their TTL (Time To Live). When migrating mail servers, set low TTLs in advance to ensure changes propagate quickly. Standard TTLs of 1-24 hours can cause prolonged delivery issues during transitions.

Stage 4: Message Transfer (MTA → MTA)

With the destination MX resolved, the sending MTA initiates an SMTP connection to the receiving MTA on port 25. This server-to-server transfer differs from submission in authentication expectations and represents the core internet mail relay function.

SMTP Transfer Characteristics:

No Authentication (Typically): Unlike submission on port 587, MTA-to-MTA transfer on port 25 traditionally does not require SMTP AUTH. Any server may attempt to deliver mail to an MX. This openness is fundamental to email's distributed architecture but creates spam challenges.

TLS Opportunistic (STARTTLS): Modern MTAs negotiate TLS when available:

Sender offers STARTTLS
Receiver advertises STARTTLS support
If both support, connection upgrades to encrypted
If receiver doesn't support, sender may proceed unencrypted or defer

MTA-to-MTA Transfer Session
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
# Transfer from sender MTA to recipient MTA (port 25)
 
>> [TCP Connect to mx1.recipient.com:25]
 
<< 220 mx1.recipient.com ESMTP Ready
 
>> EHLO mail.sender.com
 
<< 250-mx1.recipient.com Hello mail.sender.com [198.51.100.10]
<< 250-STARTTLS
<< 250-SIZE 104857600
<< 250-8BITMIME
<< 250-ENHANCEDSTATUSCODES
<< 250-PIPELINING
<< 250 DSN
 
>> STARTTLS
 
<< 220 2.0.0 Ready to start TLS
 
>> [TLS handshake completes]
 
>> EHLO mail.sender.com
 
<< 250-mx1.recipient.com Hello mail.sender.com [198.51.100.10]
<< 250-SIZE 104857600
<< 250-8BITMIME
<< 250 OK
 
>> MAIL FROM:<alice@sender.com>
 
<< 250 2.1.0 OK
 
>> RCPT TO:<bob@recipient.com>
 
<< 250 2.1.5 OK
 
>> DATA
 
<< 354 Start mail input
 
>> Received: from [192.168.1.100] (unknown [198.51.100.5])
>>   by mail.sender.com (Postfix) with ESMTPSA id 4F7B892C1A
>>   for <bob@recipient.com>; Mon, 17 Jan 2026 12:30:00 +0530
>> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sender.com;
>>   s=default; h=from:to:subject:date:message-id;
>>   bh=lK7kgXBJl+8k7hjd...; b=pXjmxY...
>> From: Alice Smith <alice@sender.com>
>> To: Bob Jones <bob@recipient.com>
>> Subject: Quarterly Report
>> Date: Mon, 17 Jan 2026 12:30:00 +0530
>> Message-ID: <550e8400-e29b-41d4-a716-446655440000@sender.com>
>> [... message body ...]
>> .
 
<< 250 2.0.0 OK: queued as 8A3C4D5E6F
 
>> QUIT
 
<< 221 2.0.0 Bye

Received Headers:

Each MTA adds a "Received" header documenting the hop. These headers create an audit trail:

Received: from mail.sender.com (mail.sender.com [198.51.100.10])
    by mx1.recipient.com (Postfix) with ESMTPS id 8A3C4D5E6F
    for <bob@recipient.com>; Mon, 17 Jan 2026 12:30:05 +0530

Multi-Hop Scenarios:

Messages may traverse multiple MTAs:

Internal relay servers within organizations
Border gateways before internal mail systems
Backup MX holding mail for unavailable primary
Email service providers handling customer domains

Each hop adds latency and a Received header, creating traceable delivery paths.

Response Codes:

Code	Meaning	Action
250	Message accepted	Delivery complete
421	Service unavailable	Temporary, retry
450	Mailbox unavailable	Temporary, retry
451	Local processing error	Temporary, retry
452	Insufficient storage	Temporary, retry
500-504	Syntax/command errors	Permanent failure
550	Mailbox unavailable	Permanent, bounce
551	User not local	Permanent, forward info
552	Exceeded storage	Permanent, bounce
553	Mailbox name invalid	Permanent, bounce
554	Transaction failed	Permanent, bounce

Stage 5: Message Filtering and Security

Before accepting a message, the receiving MTA performs extensive security and policy checks. This filtering stage determines whether mail reaches the inbox, spam folder, quarantine, or is rejected outright.

Filtering Occurs at Multiple Points:

Pre-DATA Checks — Before message content is transmitted
Post-DATA Checks — After full message is received
Post-Queue Checks — After acceptance, before final delivery

Pre-DATA Filtering (Connection and Envelope)

•IP Reputation Check — Query DNSBLs (DNS-based Blacklists) like Spamhaus, Barracuda, SpamCop. Connecting IP's reputation significantly influences acceptance.
•Reverse DNS Verification — Check that connecting IP has valid PTR record. Many servers reject mail from IPs without reverse DNS.
•HELO/EHLO Verification — Validate hostname provided. Reject if it doesn't resolve or mismatches connection IP.
•SPF Check — Query DNS for sender domain's SPF record. Verify sending IP is authorized for that domain.
•Rate Limiting — Limit connections per IP per time period. Throttle suspected spam sources.
•Greylisting — Temporarily reject first attempt from unknown sender/recipient/IP triplets. Legitimate servers retry; spambots typically don't.
•Recipient Verification — Verify recipient address exists before accepting message. Prevents backscatter from invalid addresses.

Post-DATA Filtering (Content Analysis)

•DKIM Verification — Validate cryptographic signature against DNS-published public key. Confirms message integrity and authorized sender.
•DMARC Evaluation — Check sender's DMARC policy. Combine SPF and DKIM results with alignment requirements. Apply policy (none/quarantine/reject).
•Spam Content Analysis — Bayesian filtering on content patterns. Signature matching against known spam. Heuristic rules (SpamAssassin, Rspamd).
•Virus Scanning — Scan attachments with anti-virus engines (ClamAV, commercial AV). Detect malware, ransomware, exploit documents.
•URL Analysis — Check URLs against phishing databases. Reputation lookup for linked domains. Link rewriting for safe browsing.
•Attachment Policy — Block dangerous file types (.exe, .js, .vbs). Verify file types match extensions. Unpack and scan archives.
•DLP (Data Loss Prevention) — Enterprise-specific content policies. Detect sensitive data (credit cards, SSN). Enforce compliance rules.

SPF, DKIM, DMARC Verification Flow:

Received message: From: alice@sender.com

1. SPF Check:
   Query: sender.com TXT record
   Result: v=spf1 mx ip4:198.51.100.0/24 -all
   Connecting IP: 198.51.100.10
   Verdict: PASS (IP in authorized range)

2. DKIM Check:
   Signature selector: "default"
   Query: default._domainkey.sender.com TXT
   Result: v=DKIM1; k=rsa; p=MIGfMA0...
   Signature verification: VALID
   Verdict: PASS

3. DMARC Check:
   Query: _dmarc.sender.com TXT
   Result: v=DMARC1; p=reject; adkim=s; aspf=s
   SPF alignment: PASS (From domain matches envelope)
   DKIM alignment: PASS (From domain matches signed domain)
   Verdict: PASS

Final authorization: ACCEPT (all checks passed)

Filtering Outcomes:

Outcome	When Applied	User Experience
Accept to Inbox	All checks pass, low spam score	Normal delivery
Accept to Spam	Moderate spam signals, policy	Spam folder
Quarantine	High spam score, admin review	Delayed, reviewed
Reject (SMTP)	Security policy violation	Sender gets bounce
Drop (Silently)	Known spam, virus	No notification

Reject vs. Drop

SMTP rejection (5xx response) notifies senders of delivery failure. Silent dropping prevents backscatter but may lose legitimate mail without notification. Organizations must balance spam prevention against the risk of silently losing mail.

Stage 6: Local Delivery (MTA → MDA → Mailbox)

After passing all filters, the message reaches the Mail Delivery Agent (MDA) for final delivery to the recipient's mailbox. This local delivery stage performs final processing and persistent storage.

MDA Invocation Methods:

The MTA hands off messages to the MDA through several possible mechanisms:

MTA-to-MDA Handoff Methods

•LMTP (Local Mail Transfer Protocol) — SMTP-like protocol for efficient local delivery. Supports per-recipient responses. Preferred for virtual mailbox systems. Dovecot provides LMTP daemon.
•Pipe to LDA Program — Direct execution of LDA binary (e.g., deliver, maildrop). Message passed via stdin. Exit code indicates success/failure.
•File-Based Handoff — Write to shared spool directory. MDA watches for new files. Less efficient but simple.
•Internal Integration — MTA includes built-in MDA functionality. Common in all-in-one solutions.

MDA Processing Steps:

User Resolution:
- Look up recipient address in directory (LDAP, database, passwd)
- Resolve aliases and forwards
- Determine mailbox location
Quota Checking:
- Check user's storage quota
- Reject or defer if quota exceeded
- May notify user of quota status
Sieve Filtering:
- Execute user's Sieve filter scripts
- File to folders based on rules
- Forward copies as configured
- Set flags, vacation responses
Final Delivery:
- Write message to mailbox format (Maildir, mbox, database)
- Update mailbox indexes
- Set new message flag
- Trigger push notifications

Dovecot LMTP Delivery Log
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
# Dovecot LMTP delivery log entry
 
Jan 17 12:30:10 mail dovecot[12345]: lmtp(12346): 
  Connect from local
Jan 17 12:30:10 mail dovecot[12345]: lmtp(12346, bob@recipient.com): 
  8A3C4D5E6F: msgid=<550e8400-e29b-41d4-a716-446655440000@sender.com>: 
  saved mail to INBOX
 
# Breakdown:
# - Accepted from local MTA via LMTP
# - Recipient: bob@recipient.com
# - Queue ID: 8A3C4D5E6F (correlates with MTA logs)
# - Message-ID: from sender
# - Destination: INBOX (default folder)
 
# With Sieve filtering:
Jan 17 12:30:10 mail dovecot[12345]: lmtp(12346, bob@recipient.com):
  sieve: msgid=<550e8400...@sender.com>: 
  stored mail into mailbox 'Projects/Quarterly-Reports'
 
# Quota warning example:
Jan 17 12:30:10 mail dovecot[12345]: lmtp(12346, bob@recipient.com):
  Warning: user is over quota (quota: 1024 MB, used 1020 MB)

Mailbox Storage Formats:

Maildir Format:

/var/mail/vhosts/recipient.com/bob/
├── cur/           # Read messages
│   └── 1737105010.V802I....:2,S
├── new/           # Unread messages (just delivered)
│   └── 1737105610.V802I...
├── tmp/           # Temporary during delivery
├── dovecot.index
├── dovecot.index.cache
└── dovecot.index.log

dbox/mdbox (Dovecot optimized):

Multiple messages per file
Better performance for large mailboxes
Metadata in separate index files
Dovecot-specific format

Database Storage:

Messages stored as database records
Enables sophisticated querying
Common in webmail-focused systems
Requires database administration

Stage 7: Message Retrieval (Mailbox → MUA)

The final stage occurs when the recipient checks their email. The Mail User Agent connects to the Mail Access Agent (IMAP/POP3 server) to retrieve and display the delivered message.

Retrieval Initiation:

Retrieval may be triggered by:

User manually checking email
Scheduled polling (every N minutes)
IMAP IDLE push notification of new mail
Mobile push notification triggering app fetch

IMAP Retrieval Pattern:

Connect to IMAP server (port 993 TLS)
Authenticate user
SELECT INBOX
Check for new messages (EXISTS count, UIDNEXT)
FETCH new message envelopes (headers)
Display message list to user
User selects message
FETCH message body
Render message for display
STORE \Seen flag to mark read

POP3 Retrieval Pattern:

Connect to POP3 server (port 995 TLS)
Authenticate user
STAT to get message count
LIST to get message sizes
RETR each message (full download)
Store messages locally
DELE to mark for deletion (optional)
QUIT to finalize session
Server removes marked messages
User reads from local store

IMAP Message Retrieval Session
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
# Bob's MUA retrieves Alice's message via IMAP
 
>> [Connect to imap.recipient.com:993 with TLS]
 
S: * OK [CAPABILITY IMAP4rev1 LITERAL+ IDLE] IMAP ready
C: A001 LOGIN "bob@recipient.com" "password"
S: A001 OK LOGIN completed
 
C: A002 SELECT INBOX
S: * 147 EXISTS
S: * 1 RECENT
S: * OK [UNSEEN 147]
S: * OK [UIDVALIDITY 1234567890]
S: * OK [UIDNEXT 2048]
S: A002 OK [READ-WRITE] SELECT completed
 
# MUA sees 1 new message (RECENT), message 147 is unread
 
C: A003 FETCH 147 (UID FLAGS ENVELOPE BODYSTRUCTURE)
S: * 147 FETCH (
     UID 2047
     FLAGS ()
     ENVELOPE (
       "Mon, 17 Jan 2026 12:30:00 +0530"
       "Quarterly Report"
       (("Alice Smith" NIL "alice" "sender.com"))
       (("Bob Jones" NIL "bob" "recipient.com"))
       NIL NIL NIL
       "<550e8400-e29b-41d4-a716-446655440000@sender.com>"
     )
     BODYSTRUCTURE (...)
   )
S: A003 OK FETCH completed
 
# User clicks to read message body
 
C: A004 FETCH 147 (BODY[TEXT])
S: * 147 FETCH (BODY[TEXT] {256}
   Hi Bob,
   
   Please find the quarterly report attached.
   
   Best regards,
   Alice
   )
S: A004 OK FETCH completed
 
# Mark as read
C: A005 STORE 147 +FLAGS (\Seen)
S: * 147 FETCH (FLAGS (\Seen))
S: A005 OK STORE completed
 
# Return to IDLE for push
C: A006 IDLE
S: + idling

Push Notification Flow:

Modern mobile email delivery often involves push notifications:

IMAP IDLE: Client maintains persistent connection; server pushes new message notification
Proprietary Push (Gmail, Outlook): Server sends push via platform services (APNs, FCM); app wakes and fetches
Exchange ActiveSync: Server pushes notification indicating new mail; client syncs changed items

Complete Message Journey Summary:

Alice's message to Bob traversed:

Alice's MUA → MSA (submission, port 587, authenticated)
Sender MTA → DNS (MX lookup for recipient.com)
Sender MTA → Recipient MTA (transfer, port 25)
Recipient filters (SPF, DKIM, DMARC, spam, virus)
Recipient MTA → MDA (local delivery via LMTP)
MDA → Mailbox (written to Maildir/INBOX)
MAA → Bob's MUA (retrieved via IMAP, port 993)

Troubleshooting Mail Flow: Logs and Diagnostics

When mail doesn't arrive as expected, understanding how to trace its path through logs is an essential skill for email administrators and developers.

Key Log Locations:

Component	Typical Log Location	What It Shows
Postfix	/var/log/mail.log	Submission, transfer, local delivery
Dovecot	/var/log/mail.log	IMAP/POP3 access, LDA delivery
Exchange	Event Viewer / Message Tracking	End-to-end flow
Rspamd	/var/log/rspamd/rspamd.log	Spam filtering decisions
ClamAV	/var/log/clamav/clamav.log	Virus detection

Tracing by Message-ID:

Every message has a unique Message-ID header. Searching logs for this ID reveals the complete path:

# Find all log entries for a specific message
grep "550e8400-e29b-41d4-a716" /var/log/mail.log

# Postfix queue ID correlation
grep "4F7B892C1A" /var/log/mail.log

Common Mail Flow Issues and Diagnostics

•Message not sent — Check MUA's Outbox/Sent folder. Verify MSA connection and authentication. Check MUA error messages. Examine submission logs.
•Message stuck in queue — Check MTA queue (mailq in Postfix). Examine deferred queue reasons. Test connectivity to recipient MX. Verify DNS resolution.
•Rejected by recipient — Check bounce message details. Verify sender DNS (SPF, DKIM, DMARC). Check sending IP reputation. Review rejection code and message.
•Delivered to spam — Analyze email headers for spam scores. Check authentication results header. Review sender reputation. Verify DKIM alignment.
•Message not in inbox — Verify delivery logs show acceptance. Check spam folder. Review user Sieve filtering rules. Verify correct recipient address.
•Delayed delivery — Check for greylisting (temporary rejection). Examine queue retry schedule. Verify recipient server availability. Check for rate limiting.

Email Header Analysis Example
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
# Key headers to examine for troubleshooting
 
# 1. Received headers (read bottom-to-top for chronological order)
Received: from mx1.recipient.com (mx1.recipient.com [203.0.113.10])
        by imap.recipient.com (Dovecot) with LMTP id XYZ789
        for <bob@recipient.com>; Mon, 17 Jan 2026 12:30:08 +0530
Received: from mail.sender.com (mail.sender.com [198.51.100.10])
        by mx1.recipient.com (Postfix) with ESMTPS id 8A3C4D5E6F
        for <bob@recipient.com>; Mon, 17 Jan 2026 12:30:05 +0530
Received: from [192.168.1.100] (unknown [198.51.100.5])
        by mail.sender.com (Postfix) with ESMTPSA id 4F7B892C1A
        for <bob@recipient.com>; Mon, 17 Jan 2026 12:30:00 +0530
 
# 2. Authentication results (added by receiving server)
Authentication-Results: mx1.recipient.com;
        dkim=pass header.d=sender.com header.s=default;
        spf=pass (sender IP is 198.51.100.10) smtp.mailfrom=sender.com;
        dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=sender.com
 
# 3. Spam/filter results (if present)
X-Spam-Status: No, score=-2.1 required=5.0 
        tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
        DKIM_VALID_EF=-0.1, SPF_PASS=-0.5, RCVD_IN_DNSWL_MED=-1.4]
X-Spam-Score: -2.1
 
# 4. DKIM signature (for verification)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sender.com;
        s=default; h=from:to:subject:date:message-id;
        bh=lK7kgXBJl+8k7hjd...;
        b=pXjmxY...

Summary: The Complete Mail Journey

We have traced an email's complete journey from sender to recipient, examining every component, protocol, and potential failure point. Let's consolidate this knowledge:

Key Takeaways

•Email follows store-and-forward architecture — Messages are stored at each hop, ensuring reliability despite transient failures.
•Composition creates properly structured messages — MUAs generate RFC-compliant headers, MIME structure, and encoded content.
•Submission requires authentication — Port 587 MSAs verify sender identity before accepting messages into the mail system.
•DNS MX records drive routing — MTAs query DNS to determine which servers handle mail for each domain.
•MTA-to-MTA transfer uses port 25 — Server-to-server relay connects to recipient MX without authentication, using TLS opportunistically.
•Filtering determines message fate — SPF, DKIM, DMARC, spam analysis, and virus scanning classify messages before delivery.
•Local delivery writes to mailbox — MDAs apply final filtering, quota checks, and store messages for retrieval.
•Retrieval completes the journey — IMAP or POP3 enables users to access delivered messages from any device.
•Headers and logs enable troubleshooting — Received headers, authentication results, and server logs trace complete message paths.

What's Next:

With mail flow mastered, we'll examine Email Addressing—understanding address formats, domain handling, aliases, forwarding, catch-all configurations, and the addressing schemes that route billions of messages daily.

Page Complete

You now possess complete understanding of email message flow—from the moment a user clicks 'Send' through every hop, filter, and storage operation until the recipient reads the message. This knowledge enables you to troubleshoot delivery issues, optimize mail infrastructure, and understand why mail behaves as it does.

4 / 5

Loading learning content...

Computer NetworksEmail Architecture

Email Architecture: The Foundation of Electronic Messaging

LevelIntermediate

Duration90 mins

TopicEmail Architecture

4 / 5

Mail Flow

The Journey of an Email Message

This page traces an email's complete path from the moment a user composes it until the recipient reads it, examining every component interaction, protocol exchange, and potential failure point.

What You Will Learn

Mail Flow Overview: The Complete Picture

The complete mail flow consists of these major stages:

Seven Stages of Email Delivery

•Composition — User creates message in MUA (email client), enters recipients, writes content, attaches files
•Submission — MUA authenticates and submits message to MSA via SMTP (port 587)
•Routing — MTA queries DNS for recipient domain's MX records to determine delivery path
•Transfer — MTA relays message to recipient domain's MTA via SMTP (port 25)
•Filtering — Receiving MTA performs spam/virus/policy checks before acceptance
•Delivery — MDA places message in recipient's mailbox after any final processing
•Retrieval — Recipient's MUA fetches message via IMAP/POP3 for reading

Converting Mermaid diagram...

Timing Characteristics:

Mail flow timing varies dramatically based on conditions:

Scenario	Typical Timing	Determining Factors
Local delivery (same server)	< 1 second	No network transit, no MX lookup
Standard internet delivery	2-30 seconds	DNS lookup, connection setup, filtering
Greylist delayed	5-15 minutes	Initial rejection, retry on schedule
Deferred delivery	Minutes to hours	Temporary rejection, retry backoff
Queued delivery	Up to 5 days	Recipient server unreachable

Stage 1: Message Composition

User Actions During Composition:

Entering recipient addresses (To, Cc, Bcc)
Writing subject line
Composing message body (plain text and/or HTML)
Attaching files
Setting priority, read receipts, or other options
Saving drafts during composition

MUA Responsibilities During Composition:

MUA Composition Processing

•Address Validation — Syntax checking of email addresses (RFC 5321 format). Local address book lookup. Auto-completion suggestions. Warning for unusual domains.
•Message Structure Creation — Generating MIME structure for body and attachments. Selecting appropriate Content-Type for each part. Creating multipart boundaries.
•Character Encoding — Converting text to UTF-8 or appropriate encoding. Encoding non-ASCII header content per RFC 2047. Handling international domain names (IDN).
•Attachment Processing — Reading file contents. Base64 encoding binary data. Determining MIME type from file extension or content. Adding Content-Disposition headers.
•Header Generation — Creating From, To, Cc, Subject headers. Generating unique Message-ID. Adding Date header with current timestamp. User-Agent identification header.
•Draft Management — Periodic auto-save to server (IMAP Drafts folder) or local storage. Maintaining draft state for resume capability.

Message Constructed by MUA
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
From: Alice Smith <alice@sender.com>
To: Bob Jones <bob@recipient.com>
Cc: Carol White <carol@recipient.com>
Bcc: Dave Black <dave@hidden.com>
Subject: Quarterly Report
Date: Mon, 17 Jan 2026 12:30:00 +0530
Message-ID: <550e8400-e29b-41d4-a716-446655440000@sender.com>
User-Agent: Mozilla Thunderbird 115.0
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_Part_001"
 
------=_Part_001
Content-Type: multipart/alternative; boundary="----=_Part_002"
 
------=_Part_002
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
 
Hi Bob,
 
Please find the quarterly report attached.
 
Best regards,
Alice
 
------=_Part_002
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 7bit
 
<!DOCTYPE html>
<html><body>
<p>Hi Bob,</p>
<p>Please find the quarterly report attached.</p>
<p>Best regards,<br>Alice</p>
</body></html>
 
------=_Part_002--
 
------=_Part_001
Content-Type: application/pdf; name="Q4-Report.pdf"
Content-Disposition: attachment; filename="Q4-Report.pdf"
Content-Transfer-Encoding: base64
 
JVBERi0xLjQKJeLjz9MKMSAwIG9iago8PAovVHlwZSAvQ2F0YWxvZwov
... (base64 encoded PDF content) ...
 
------=_Part_001--

Bcc Handling

Stage 2: Message Submission (MUA → MSA)

Submission Flow Steps:

SMTP Submission Sequence

•TCP Connection — MUA establishes TCP connection to MSA on port 587 (or 465 for implicit TLS)
•Server Greeting — MSA sends 220 banner identifying itself and confirming readiness
•ESMTP Negotiation — MUA sends EHLO, server responds with supported extensions
•TLS Upgrade — MUA issues STARTTLS, server agrees, TLS handshake encrypts connection
•Re-Negotiation — After TLS, MUA sends EHLO again to discover post-TLS capabilities
•Authentication — MUA authenticates using SASL (PLAIN, LOGIN, or OAuth 2.0 bearer token)
•Envelope Sender — MAIL FROM specifies the envelope sender for bounces
•Envelope Recipients — RCPT TO specifies each recipient address
•Data Transfer — DATA command followed by message headers and body
•Acceptance — Server responds 250 OK, message queued for delivery
•Disconnection — QUIT command closes session gracefully

MSA Processing:

The MSA performs critical validation before accepting the message:

Authentication Verification:

Verify submitted credentials against user database (LDAP, database, etc.)
Check that authenticated user is authorized to send as specified sender
Rate-limit per-user to prevent abuse

Message Validation:

Syntax check of envelope addresses
Message format compliance (RFC 5322)
Size limit enforcement
Attachment type restrictions (organizational policy)

Header Processing:

Add Received header documenting receipt
Add/verify Message-ID if missing
Add Date header if missing
Strip Bcc header from message content
May add X-Originating-IP for tracking

Signing:

DKIM signature computation and addition (if configured)
Organization digital signature (if required)

Complete Submission Session Trace
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
# Submission session from alice@sender.com to MSA
 
>> [TCP Connect to mail.sender.com:587]
 
<< 220 mail.sender.com ESMTP Ready
 
>> EHLO [192.168.1.100]
 
<< 250-mail.sender.com Hello
<< 250-PIPELINING
<< 250-SIZE 52428800
<< 250-STARTTLS
<< 250-AUTH PLAIN LOGIN XOAUTH2
<< 250-ENHANCEDSTATUSCODES
<< 250 DSN
 
>> STARTTLS
 
<< 220 2.0.0 Ready to start TLS
 
>> [TLS 1.3 Handshake - Certificate: *.sender.com]
 
>> EHLO [192.168.1.100]
 
<< 250-mail.sender.com Hello
<< 250-AUTH PLAIN LOGIN XOAUTH2
<< 250 OK
 
>> AUTH PLAIN AGFsaWNlQHNlbmRlci5jb20AcGFzc3dvcmQxMjM=
 
<< 235 2.7.0 Authentication successful
 
>> MAIL FROM:<alice@sender.com> SIZE=15234
 
<< 250 2.1.0 OK
 
>> RCPT TO:<bob@recipient.com>
 
<< 250 2.1.5 OK
 
>> RCPT TO:<carol@recipient.com>
 
<< 250 2.1.5 OK
 
>> RCPT TO:<dave@hidden.com>
 
<< 250 2.1.5 OK
 
>> DATA
 
<< 354 Start mail input; end with <CRLF>.<CRLF>
 
>> From: Alice Smith <alice@sender.com>
>> To: Bob Jones <bob@recipient.com>
>> Cc: Carol White <carol@recipient.com>
>> Subject: Quarterly Report
>> Date: Mon, 17 Jan 2026 12:30:00 +0530
>> Message-ID: <550e8400-e29b-41d4-a716-446655440000@sender.com>
>> MIME-Version: 1.0
>> Content-Type: text/plain; charset=UTF-8
>>
>> Hi Bob,
>>
>> Please find the quarterly report attached.
>>
>> Best regards,
>> Alice
>> .
 
<< 250 2.0.0 OK: queued as 4F7B892C1A
 
>> QUIT
 
<< 221 2.0.0 Bye

Stage 3: Message Routing (DNS MX Lookup)

After the MSA accepts the message, it enters the Mail Transfer Agent's queue. The MTA must now determine where to send the message—a process dependent on DNS MX (Mail Exchanger) record lookups.

Routing Algorithm:

For each recipient domain, the sending MTA follows this logic:

MX Resolution Steps

•Query MX Records — DNS query for MX records of recipient domain (e.g., recipient.com)
•Sort by Priority — Order MX records by preference value (lower = higher priority)
•Resolve A/AAAA Records — Get IP address(es) for highest priority MX hostname
•Attempt Connection — Try connecting to IP addresses in order
•Fallback on Failure — If all IPs for highest priority fail, try next priority MX
•No MX Fallback — If no MX records exist, attempt delivery to A/AAAA of domain itself
•Queue on Total Failure — If all attempts fail, queue message for retry

DNS MX Lookup Process
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
# MTA routing query for bob@recipient.com
 
# Step 1: Query MX records
$ dig MX recipient.com
 
;; ANSWER SECTION:
recipient.com.     3600  IN  MX  10 mx1.recipient.com.
recipient.com.     3600  IN  MX  10 mx2.recipient.com.
recipient.com.     3600  IN  MX  20 mx-backup.recipient.com.
 
# MTA interpretation:
# Priority 10: mx1.recipient.com (primary)
# Priority 10: mx2.recipient.com (primary, load balanced)
# Priority 20: mx-backup.recipient.com (backup)
 
# Step 2: Resolve primary MX
$ dig A mx1.recipient.com
 
;; ANSWER SECTION:
mx1.recipient.com.   300  IN  A   203.0.113.10
 
$ dig A mx2.recipient.com
 
;; ANSWER SECTION:
mx2.recipient.com.   300  IN  A   203.0.113.11
 
# Step 3: MTA attempts connection in order:
# 1. Try mx1.recipient.com:25 (203.0.113.10)
#    If successful -> deliver
#    If connection refused/timeout -> try mx2
# 2. Try mx2.recipient.com:25 (203.0.113.11)
#    If successful -> deliver  
#    If connection refused/timeout -> try backup
# 3. Try mx-backup.recipient.com:25
#    If successful -> deliver
#    If all fail -> queue for retry
 
# Note: Same-priority MX records (10 and 10) are typically
# load-balanced by random selection or round-robin

Routing Edge Cases:

Sender Domain Considerations:

MTA checks sender domain has valid MX or A record (rejectability)
Some receivers verify sender can receive bounces

MX Record Edge Cases:

Scenario	Behavior
No MX records exist	Fall back to A/AAAA record of domain
MX points to CNAME	Technically invalid (but often works)
MX priority 0	Valid but unusual (null MX means no mail accepted)
All MX unreachable	Queue and retry per RFC 5321 guidelines
MX points to IP	Invalid (must be hostname)

Null MX (RFC 7505):

Domains that never receive email can advertise this fact:

example.com. IN MX 0 .

The single dot (.) as the MX target with priority 0 explicitly indicates "this domain does not accept mail." Compliant senders immediately generate bounces rather than attempting delivery.

DNS TTL Considerations

Stage 4: Message Transfer (MTA → MTA)

SMTP Transfer Characteristics:

TLS Opportunistic (STARTTLS): Modern MTAs negotiate TLS when available:

Sender offers STARTTLS
Receiver advertises STARTTLS support
If both support, connection upgrades to encrypted
If receiver doesn't support, sender may proceed unencrypted or defer

MTA-to-MTA Transfer Session
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
# Transfer from sender MTA to recipient MTA (port 25)
 
>> [TCP Connect to mx1.recipient.com:25]
 
<< 220 mx1.recipient.com ESMTP Ready
 
>> EHLO mail.sender.com
 
<< 250-mx1.recipient.com Hello mail.sender.com [198.51.100.10]
<< 250-STARTTLS
<< 250-SIZE 104857600
<< 250-8BITMIME
<< 250-ENHANCEDSTATUSCODES
<< 250-PIPELINING
<< 250 DSN
 
>> STARTTLS
 
<< 220 2.0.0 Ready to start TLS
 
>> [TLS handshake completes]
 
>> EHLO mail.sender.com
 
<< 250-mx1.recipient.com Hello mail.sender.com [198.51.100.10]
<< 250-SIZE 104857600
<< 250-8BITMIME
<< 250 OK
 
>> MAIL FROM:<alice@sender.com>
 
<< 250 2.1.0 OK
 
>> RCPT TO:<bob@recipient.com>
 
<< 250 2.1.5 OK
 
>> DATA
 
<< 354 Start mail input
 
>> Received: from [192.168.1.100] (unknown [198.51.100.5])
>>   by mail.sender.com (Postfix) with ESMTPSA id 4F7B892C1A
>>   for <bob@recipient.com>; Mon, 17 Jan 2026 12:30:00 +0530
>> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sender.com;
>>   s=default; h=from:to:subject:date:message-id;
>>   bh=lK7kgXBJl+8k7hjd...; b=pXjmxY...
>> From: Alice Smith <alice@sender.com>
>> To: Bob Jones <bob@recipient.com>
>> Subject: Quarterly Report
>> Date: Mon, 17 Jan 2026 12:30:00 +0530
>> Message-ID: <550e8400-e29b-41d4-a716-446655440000@sender.com>
>> [... message body ...]
>> .
 
<< 250 2.0.0 OK: queued as 8A3C4D5E6F
 
>> QUIT
 
<< 221 2.0.0 Bye

Received Headers:

Each MTA adds a "Received" header documenting the hop. These headers create an audit trail:

Received: from mail.sender.com (mail.sender.com [198.51.100.10])
    by mx1.recipient.com (Postfix) with ESMTPS id 8A3C4D5E6F
    for <bob@recipient.com>; Mon, 17 Jan 2026 12:30:05 +0530

Multi-Hop Scenarios:

Messages may traverse multiple MTAs:

Internal relay servers within organizations
Border gateways before internal mail systems
Backup MX holding mail for unavailable primary
Email service providers handling customer domains

Each hop adds latency and a Received header, creating traceable delivery paths.

Response Codes:

Code	Meaning	Action
250	Message accepted	Delivery complete
421	Service unavailable	Temporary, retry
450	Mailbox unavailable	Temporary, retry
451	Local processing error	Temporary, retry
452	Insufficient storage	Temporary, retry
500-504	Syntax/command errors	Permanent failure
550	Mailbox unavailable	Permanent, bounce
551	User not local	Permanent, forward info
552	Exceeded storage	Permanent, bounce
553	Mailbox name invalid	Permanent, bounce
554	Transaction failed	Permanent, bounce

Stage 5: Message Filtering and Security

Filtering Occurs at Multiple Points:

Pre-DATA Checks — Before message content is transmitted
Post-DATA Checks — After full message is received
Post-Queue Checks — After acceptance, before final delivery

Pre-DATA Filtering (Connection and Envelope)

•IP Reputation Check — Query DNSBLs (DNS-based Blacklists) like Spamhaus, Barracuda, SpamCop. Connecting IP's reputation significantly influences acceptance.
•Reverse DNS Verification — Check that connecting IP has valid PTR record. Many servers reject mail from IPs without reverse DNS.
•HELO/EHLO Verification — Validate hostname provided. Reject if it doesn't resolve or mismatches connection IP.
•SPF Check — Query DNS for sender domain's SPF record. Verify sending IP is authorized for that domain.
•Rate Limiting — Limit connections per IP per time period. Throttle suspected spam sources.
•Greylisting — Temporarily reject first attempt from unknown sender/recipient/IP triplets. Legitimate servers retry; spambots typically don't.
•Recipient Verification — Verify recipient address exists before accepting message. Prevents backscatter from invalid addresses.

Post-DATA Filtering (Content Analysis)

•DKIM Verification — Validate cryptographic signature against DNS-published public key. Confirms message integrity and authorized sender.
•DMARC Evaluation — Check sender's DMARC policy. Combine SPF and DKIM results with alignment requirements. Apply policy (none/quarantine/reject).
•Spam Content Analysis — Bayesian filtering on content patterns. Signature matching against known spam. Heuristic rules (SpamAssassin, Rspamd).
•Virus Scanning — Scan attachments with anti-virus engines (ClamAV, commercial AV). Detect malware, ransomware, exploit documents.
•URL Analysis — Check URLs against phishing databases. Reputation lookup for linked domains. Link rewriting for safe browsing.
•Attachment Policy — Block dangerous file types (.exe, .js, .vbs). Verify file types match extensions. Unpack and scan archives.
•DLP (Data Loss Prevention) — Enterprise-specific content policies. Detect sensitive data (credit cards, SSN). Enforce compliance rules.

SPF, DKIM, DMARC Verification Flow:

Received message: From: alice@sender.com

1. SPF Check:
   Query: sender.com TXT record
   Result: v=spf1 mx ip4:198.51.100.0/24 -all
   Connecting IP: 198.51.100.10
   Verdict: PASS (IP in authorized range)

2. DKIM Check:
   Signature selector: "default"
   Query: default._domainkey.sender.com TXT
   Result: v=DKIM1; k=rsa; p=MIGfMA0...
   Signature verification: VALID
   Verdict: PASS

3. DMARC Check:
   Query: _dmarc.sender.com TXT
   Result: v=DMARC1; p=reject; adkim=s; aspf=s
   SPF alignment: PASS (From domain matches envelope)
   DKIM alignment: PASS (From domain matches signed domain)
   Verdict: PASS

Final authorization: ACCEPT (all checks passed)

Filtering Outcomes:

Outcome	When Applied	User Experience
Accept to Inbox	All checks pass, low spam score	Normal delivery
Accept to Spam	Moderate spam signals, policy	Spam folder
Quarantine	High spam score, admin review	Delayed, reviewed
Reject (SMTP)	Security policy violation	Sender gets bounce
Drop (Silently)	Known spam, virus	No notification

Reject vs. Drop

Stage 6: Local Delivery (MTA → MDA → Mailbox)

MDA Invocation Methods:

The MTA hands off messages to the MDA through several possible mechanisms:

MTA-to-MDA Handoff Methods

•LMTP (Local Mail Transfer Protocol) — SMTP-like protocol for efficient local delivery. Supports per-recipient responses. Preferred for virtual mailbox systems. Dovecot provides LMTP daemon.
•Pipe to LDA Program — Direct execution of LDA binary (e.g., deliver, maildrop). Message passed via stdin. Exit code indicates success/failure.
•File-Based Handoff — Write to shared spool directory. MDA watches for new files. Less efficient but simple.
•Internal Integration — MTA includes built-in MDA functionality. Common in all-in-one solutions.

MDA Processing Steps:

User Resolution:
- Look up recipient address in directory (LDAP, database, passwd)
- Resolve aliases and forwards
- Determine mailbox location
Quota Checking:
- Check user's storage quota
- Reject or defer if quota exceeded
- May notify user of quota status
Sieve Filtering:
- Execute user's Sieve filter scripts
- File to folders based on rules
- Forward copies as configured
- Set flags, vacation responses
Final Delivery:
- Write message to mailbox format (Maildir, mbox, database)
- Update mailbox indexes
- Set new message flag
- Trigger push notifications

Dovecot LMTP Delivery Log
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
# Dovecot LMTP delivery log entry
 
Jan 17 12:30:10 mail dovecot[12345]: lmtp(12346): 
  Connect from local
Jan 17 12:30:10 mail dovecot[12345]: lmtp(12346, bob@recipient.com): 
  8A3C4D5E6F: msgid=<550e8400-e29b-41d4-a716-446655440000@sender.com>: 
  saved mail to INBOX
 
# Breakdown:
# - Accepted from local MTA via LMTP
# - Recipient: bob@recipient.com
# - Queue ID: 8A3C4D5E6F (correlates with MTA logs)
# - Message-ID: from sender
# - Destination: INBOX (default folder)
 
# With Sieve filtering:
Jan 17 12:30:10 mail dovecot[12345]: lmtp(12346, bob@recipient.com):
  sieve: msgid=<550e8400...@sender.com>: 
  stored mail into mailbox 'Projects/Quarterly-Reports'
 
# Quota warning example:
Jan 17 12:30:10 mail dovecot[12345]: lmtp(12346, bob@recipient.com):
  Warning: user is over quota (quota: 1024 MB, used 1020 MB)

Mailbox Storage Formats:

Maildir Format:

/var/mail/vhosts/recipient.com/bob/
├── cur/           # Read messages
│   └── 1737105010.V802I....:2,S
├── new/           # Unread messages (just delivered)
│   └── 1737105610.V802I...
├── tmp/           # Temporary during delivery
├── dovecot.index
├── dovecot.index.cache
└── dovecot.index.log

dbox/mdbox (Dovecot optimized):

Multiple messages per file
Better performance for large mailboxes
Metadata in separate index files
Dovecot-specific format

Database Storage:

Messages stored as database records
Enables sophisticated querying
Common in webmail-focused systems
Requires database administration

Stage 7: Message Retrieval (Mailbox → MUA)

The final stage occurs when the recipient checks their email. The Mail User Agent connects to the Mail Access Agent (IMAP/POP3 server) to retrieve and display the delivered message.

Retrieval Initiation:

Retrieval may be triggered by:

User manually checking email
Scheduled polling (every N minutes)
IMAP IDLE push notification of new mail
Mobile push notification triggering app fetch

IMAP Retrieval Pattern:

Connect to IMAP server (port 993 TLS)
Authenticate user
SELECT INBOX
Check for new messages (EXISTS count, UIDNEXT)
FETCH new message envelopes (headers)
Display message list to user
User selects message
FETCH message body
Render message for display
STORE \Seen flag to mark read

POP3 Retrieval Pattern:

Connect to POP3 server (port 995 TLS)
Authenticate user
STAT to get message count
LIST to get message sizes
RETR each message (full download)
Store messages locally
DELE to mark for deletion (optional)
QUIT to finalize session
Server removes marked messages
User reads from local store

IMAP Message Retrieval Session
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
# Bob's MUA retrieves Alice's message via IMAP
 
>> [Connect to imap.recipient.com:993 with TLS]
 
S: * OK [CAPABILITY IMAP4rev1 LITERAL+ IDLE] IMAP ready
C: A001 LOGIN "bob@recipient.com" "password"
S: A001 OK LOGIN completed
 
C: A002 SELECT INBOX
S: * 147 EXISTS
S: * 1 RECENT
S: * OK [UNSEEN 147]
S: * OK [UIDVALIDITY 1234567890]
S: * OK [UIDNEXT 2048]
S: A002 OK [READ-WRITE] SELECT completed
 
# MUA sees 1 new message (RECENT), message 147 is unread
 
C: A003 FETCH 147 (UID FLAGS ENVELOPE BODYSTRUCTURE)
S: * 147 FETCH (
     UID 2047
     FLAGS ()
     ENVELOPE (
       "Mon, 17 Jan 2026 12:30:00 +0530"
       "Quarterly Report"
       (("Alice Smith" NIL "alice" "sender.com"))
       (("Bob Jones" NIL "bob" "recipient.com"))
       NIL NIL NIL
       "<550e8400-e29b-41d4-a716-446655440000@sender.com>"
     )
     BODYSTRUCTURE (...)
   )
S: A003 OK FETCH completed
 
# User clicks to read message body
 
C: A004 FETCH 147 (BODY[TEXT])
S: * 147 FETCH (BODY[TEXT] {256}
   Hi Bob,
   
   Please find the quarterly report attached.
   
   Best regards,
   Alice
   )
S: A004 OK FETCH completed
 
# Mark as read
C: A005 STORE 147 +FLAGS (\Seen)
S: * 147 FETCH (FLAGS (\Seen))
S: A005 OK STORE completed
 
# Return to IDLE for push
C: A006 IDLE
S: + idling

Push Notification Flow:

Modern mobile email delivery often involves push notifications:

IMAP IDLE: Client maintains persistent connection; server pushes new message notification
Proprietary Push (Gmail, Outlook): Server sends push via platform services (APNs, FCM); app wakes and fetches
Exchange ActiveSync: Server pushes notification indicating new mail; client syncs changed items

Complete Message Journey Summary:

Alice's message to Bob traversed:

Alice's MUA → MSA (submission, port 587, authenticated)
Sender MTA → DNS (MX lookup for recipient.com)
Sender MTA → Recipient MTA (transfer, port 25)
Recipient filters (SPF, DKIM, DMARC, spam, virus)
Recipient MTA → MDA (local delivery via LMTP)
MDA → Mailbox (written to Maildir/INBOX)
MAA → Bob's MUA (retrieved via IMAP, port 993)

Troubleshooting Mail Flow: Logs and Diagnostics

When mail doesn't arrive as expected, understanding how to trace its path through logs is an essential skill for email administrators and developers.

Key Log Locations:

Component	Typical Log Location	What It Shows
Postfix	/var/log/mail.log	Submission, transfer, local delivery
Dovecot	/var/log/mail.log	IMAP/POP3 access, LDA delivery
Exchange	Event Viewer / Message Tracking	End-to-end flow
Rspamd	/var/log/rspamd/rspamd.log	Spam filtering decisions
ClamAV	/var/log/clamav/clamav.log	Virus detection

Tracing by Message-ID:

Every message has a unique Message-ID header. Searching logs for this ID reveals the complete path:

# Find all log entries for a specific message
grep "550e8400-e29b-41d4-a716" /var/log/mail.log

# Postfix queue ID correlation
grep "4F7B892C1A" /var/log/mail.log

Common Mail Flow Issues and Diagnostics

•Message not sent — Check MUA's Outbox/Sent folder. Verify MSA connection and authentication. Check MUA error messages. Examine submission logs.
•Message stuck in queue — Check MTA queue (mailq in Postfix). Examine deferred queue reasons. Test connectivity to recipient MX. Verify DNS resolution.
•Rejected by recipient — Check bounce message details. Verify sender DNS (SPF, DKIM, DMARC). Check sending IP reputation. Review rejection code and message.
•Delivered to spam — Analyze email headers for spam scores. Check authentication results header. Review sender reputation. Verify DKIM alignment.
•Message not in inbox — Verify delivery logs show acceptance. Check spam folder. Review user Sieve filtering rules. Verify correct recipient address.
•Delayed delivery — Check for greylisting (temporary rejection). Examine queue retry schedule. Verify recipient server availability. Check for rate limiting.

Email Header Analysis Example
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
# Key headers to examine for troubleshooting
 
# 1. Received headers (read bottom-to-top for chronological order)
Received: from mx1.recipient.com (mx1.recipient.com [203.0.113.10])
        by imap.recipient.com (Dovecot) with LMTP id XYZ789
        for <bob@recipient.com>; Mon, 17 Jan 2026 12:30:08 +0530
Received: from mail.sender.com (mail.sender.com [198.51.100.10])
        by mx1.recipient.com (Postfix) with ESMTPS id 8A3C4D5E6F
        for <bob@recipient.com>; Mon, 17 Jan 2026 12:30:05 +0530
Received: from [192.168.1.100] (unknown [198.51.100.5])
        by mail.sender.com (Postfix) with ESMTPSA id 4F7B892C1A
        for <bob@recipient.com>; Mon, 17 Jan 2026 12:30:00 +0530
 
# 2. Authentication results (added by receiving server)
Authentication-Results: mx1.recipient.com;
        dkim=pass header.d=sender.com header.s=default;
        spf=pass (sender IP is 198.51.100.10) smtp.mailfrom=sender.com;
        dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=sender.com
 
# 3. Spam/filter results (if present)
X-Spam-Status: No, score=-2.1 required=5.0 
        tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
        DKIM_VALID_EF=-0.1, SPF_PASS=-0.5, RCVD_IN_DNSWL_MED=-1.4]
X-Spam-Score: -2.1
 
# 4. DKIM signature (for verification)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sender.com;
        s=default; h=from:to:subject:date:message-id;
        bh=lK7kgXBJl+8k7hjd...;
        b=pXjmxY...

Summary: The Complete Mail Journey

We have traced an email's complete journey from sender to recipient, examining every component, protocol, and potential failure point. Let's consolidate this knowledge:

Key Takeaways

•Email follows store-and-forward architecture — Messages are stored at each hop, ensuring reliability despite transient failures.
•Composition creates properly structured messages — MUAs generate RFC-compliant headers, MIME structure, and encoded content.
•Submission requires authentication — Port 587 MSAs verify sender identity before accepting messages into the mail system.
•DNS MX records drive routing — MTAs query DNS to determine which servers handle mail for each domain.
•MTA-to-MTA transfer uses port 25 — Server-to-server relay connects to recipient MX without authentication, using TLS opportunistically.
•Filtering determines message fate — SPF, DKIM, DMARC, spam analysis, and virus scanning classify messages before delivery.
•Local delivery writes to mailbox — MDAs apply final filtering, quota checks, and store messages for retrieval.
•Retrieval completes the journey — IMAP or POP3 enables users to access delivered messages from any device.
•Headers and logs enable troubleshooting — Received headers, authentication results, and server logs trace complete message paths.

What's Next:

Page Complete

4 / 5