Loading learning content...
After your email leaves your organization's mail server, it embarks on a journey across the Internet—hopping between servers, navigating DNS lookups, and traversing organizational boundaries until it reaches its destination. This mail relay process is the backbone of global email communication, enabling billions of messages to cross domains, networks, and continents every day.
Understanding mail relay is essential for email administrators who configure routing policies, security professionals who protect against unauthorized relay abuse, and developers who need to diagnose why mail isn't reaching its destination. The relay process involves intricate DNS lookups, trust decisions, and protocol exchanges that determine whether an email successfully arrives or disappears into a spam filter.
By the end of this page, you will understand MX record resolution and mail routing decisions, master relay authorization policies that prevent open relay abuse, comprehend multi-hop delivery paths and message tracing, and learn security mechanisms including DANE, MTA-STS, and TLS enforcement for server-to-server transfers.
Mail relay is the process by which a Mail Transfer Agent (MTA) accepts a message destined for another domain and forwards it toward the recipient's mail server. Unlike mail submission (client-to-server), relay is a server-to-server operation that happens automatically, without direct user involvement.
The Relay Decision:
When an MTA receives a message via SMTP, it must make a critical decision: Should I accept and relay this message? This decision depends on:
Types of Relay:
1. Outbound Relay: Relaying mail from internal users to external domains. This is normal operation—your mail server sends your organization's email to the world.
2. Inbound Delivery: Receiving mail for your domain from external senders. Technically not "relay" but often handled by the same infrastructure.
3. Open Relay (Dangerous!): Relaying mail from anyone to anyone—with no authorization. This is a security disaster and the primary source of spam. An open relay forwards mail from arbitrary senders to arbitrary recipients, often exploited within hours of going online.
4. Authorized Third-Party Relay: Relaying for specific authorized parties (backup MX, smarthost relay, email service providers). This is legitimate but requires explicit configuration.
An open relay server will be discovered and exploited by spammers within hours. Your IP will be blacklisted, legitimate mail will be rejected, and your organization may face legal liability. NEVER configure a mail server without explicit relay restrictions.
Before relaying email to a recipient domain, the sending MTA must discover which server(s) accept mail for that domain. This is accomplished through DNS MX (Mail Exchanger) records.
MX Record Structure:
An MX record specifies the hostname of a mail server and a priority value (lower = higher priority):
example.com. IN MX 10 mail.example.com.
example.com. IN MX 20 backup.example.com.
example.com. IN MX 30 emergency.example.net.
Resolution Algorithm:
12345678910111213141516171819
# Query MX records for gmail.com$ dig MX gmail.com +short5 gmail-smtp-in.l.google.com.10 alt1.gmail-smtp-in.l.google.com.20 alt2.gmail-smtp-in.l.google.com.30 alt3.gmail-smtp-in.l.google.com.40 alt4.gmail-smtp-in.l.google.com. # Resolve the primary MX to IP addresses$ dig A gmail-smtp-in.l.google.com +short142.250.27.26 $ dig AAAA gmail-smtp-in.l.google.com +short2607:f8b0:400e:c00::1a # Example: Connecting to send mail$ openssl s_client -starttls smtp -connect gmail-smtp-in.l.google.com:25# ... TLS negotiation ...# 250-smtp.google.com at your serviceEdge Cases in MX Resolution:
No MX Record: If no MX record exists, RFC 5321 specifies falling back to the domain's A/AAAA record. The sender should attempt delivery directly to the domain's IP address.
Null MX (MX 0 .): RFC 7505 introduced the "null MX" record indicating a domain explicitly does not accept email:
no-email.example.com. IN MX 0 .
Senders should immediately generate a bounce for recipients at such domains.
MX Pointing to CNAME: RFC 5321 discourages MX records pointing to CNAMEs. The MX should resolve directly to A/AAAA records. Some servers reject or mishandle CNAME chains.
Same Priority (Round-Robin): When multiple MX records share the same priority, senders should distribute load randomly among them, not always choosing the same one.
Always configure at least two MX records with different priority values. If your primary server fails, mail will automatically route to backup servers. Consider using geographically distributed MX servers for resilience against datacenter failures.
Controlling who can relay mail through your server is the most critical security configuration for any MTA. Misconfiguration creates open relays; over-restriction blocks legitimate mail.
Policy Components:
Relay authorization involves checking multiple factors:
| Strategy | Description | Use Case | Risk Level |
|---|---|---|---|
| Authenticated Senders | Allow relay only after SMTP AUTH | Standard for user mail submission | Low |
| Trusted Networks | Allow relay from specific IP ranges | Internal servers, partners | Medium (IP can be spoofed) |
| Local Recipients Only | Accept only mail for local domains; reject relay | Inbound-only MX servers | Low |
| SMTP After POP/IMAP | Temporary relay permission after mailbox check | Legacy webmail systems | Medium |
| TLS Client Certificates | Relay based on verified client certificate | Server-to-server trust | Low |
| Sender Domain Authority | Relay only if sender is local domain | Outbound filtering | Low to Medium |
123456789101112131415161718192021222324252627282930
# Define networks trusted to relay without authmynetworks = 127.0.0.0/8 [::1]/128 10.0.0.0/8 # Define domains for which we accept mail (inbound)mydestination = example.com, mail.example.com, localhost # Define domains we're allowed to relay FOR (outbound)relay_domains = # Recipient restrictions (the key control!)smtpd_recipient_restrictions = # Allow authenticated senders permit_sasl_authenticated, # Allow local network permit_mynetworks, # Reject mail not destined for our domains reject_unauth_destination, # Additional checks... check_recipient_access hash:/etc/postfix/recipient_access # sender restrictionssmtpd_sender_restrictions = reject_non_fqdn_sender, reject_unknown_sender_domain # This combo means:# - Authenticated users can send anywhere# - Local network can send anywhere # - External servers can only send TO our domains# - Relay FOR external senders to external recipients = DENIEDTesting Relay Configuration:
ALWAYS test your relay configuration after changes. A misconfiguration can turn your server into a spam source within hours.
# From an EXTERNAL IP (not in mynetworks), without auth:
telnet mail.example.com 25
EHLO test.external.com
MAIL FROM:<spammer@evil.com>
RCPT TO:<victim@gmail.com>
# Expected response:
# 554 5.7.1 <victim@gmail.com>: Relay access denied
# If you see "250 OK" — YOU HAVE AN OPEN RELAY!
Use External Testing Services:
Testing relay from your own network may pass because you're in mynetworks. Always test from an external IP address or use online relay testing services. If in doubt, configure more restrictively and loosen only when necessary.
Email often traverses multiple servers between sender and recipient. Each hop adds a Received header, creating an audit trail of the message's journey. Understanding multi-hop routing is essential for troubleshooting delivery issues and investigating message origins.
Common Multi-Hop Scenarios:
Tracing the Route via Received Headers:
Every MTA prepends a Received header when handling a message. Reading these headers from bottom to top reveals the message path:
1234567891011121314151617181920212223
Received: from mx.receiver.com (mx.receiver.com [203.0.113.50]) by final-delivery.receiver.com (Postfix) with ESMTP id DEF456 for <bob@receiver.com>; Mon, 15 Jan 2024 10:35:00 -0500 # ↑ Hop 4: Final internal delivery within receiver.com Received: from scanner.receiver.com (scanner.receiver.com [10.0.0.5]) by mx.receiver.com (Postfix) with ESMTP id CDE345 for <bob@receiver.com>; Mon, 15 Jan 2024 10:34:59 -0500 # ↑ Hop 3: Internal security scanner at receiver.com Received: from gateway.sender.org (gateway.sender.org [198.51.100.25]) by mx.receiver.com (Postfix) with ESMTPS id BCD234 for <bob@receiver.com>; Mon, 15 Jan 2024 10:34:58 -0500 # ↑ Hop 2: Gateway at sender.org → MX at receiver.com Received: from internal.sender.org (internal.sender.org [10.1.0.10]) by gateway.sender.org (Postfix) with ESMTP id ABC123 for <bob@receiver.com>; Mon, 15 Jan 2024 10:34:55 -0500 # ↑ Hop 1: Internal submission at sender.org → outbound gatewayKey Information in Received Headers:
Reading Received Headers for Troubleshooting:
Received headers are prepended, so the newest is at the top. The FIRST (bottom) Received header is often the most trustworthy since it's added by your own infrastructure. Headers below the security boundary (your first MX) could be forged by the sender.
Unlike submission (where TLS is mandatory for credential protection), server-to-server relay traditionally used opportunistic encryption—encrypt if possible, fall back to plaintext if not. Modern standards increasingly push toward mandatory encryption to protect message confidentiality.
Opportunistic TLS (Traditional):
C: EHLO sender.example.org
S: 250-mx.receiver.com
S: 250-STARTTLS
S: 250 OK
C: STARTTLS
S: 220 Ready
[TLS negotiation]
# ... encrypted session continues
If the server doesn't advertise STARTTLS, or TLS negotiation fails, the sender continues in plaintext. This prevents encryption from blocking mail delivery but exposes content to eavesdroppers.
| Mode | Behavior | Security | Deliverability |
|---|---|---|---|
| None | No TLS attempted | None — plaintext always | Maximum |
| Opportunistic | TLS if available; plaintext fallback | Best-effort encryption | High |
| Mandatory (per-domain) | TLS required for specific domains | Strong for configured domains | May fail for those domains |
| Mandatory (all) | TLS required for all destinations | Strong but may block mail | Lower — may reject servers |
| DANE | TLS with DNSSEC-verified certificates | Cryptographically verified encryption | Moderate — requires DANE support |
| MTA-STS | TLS policy published via HTTPS | Strong — policy prevents downgrade | Good — graceful enforcement |
The STARTTLS Stripping Attack:
Because STARTTLS is negotiated over plaintext, an active attacker can:
STARTTLS from the server's EHLO responseThis is why opportunistic TLS provides "best effort" security but not guaranteed protection.
MTA-STS: Mandatory TLS with Policy:
RFC 8461 introduced MTA-STS (Mail Transfer Agent Strict Transport Security) to solve STARTTLS stripping:
https://mta-sts.example.com/.well-known/mta-sts.txt)# Example: https://mta-sts.example.com/.well-known/mta-sts.txt
version: STSv1
mode: enforce
mx: mail.example.com
mx: backup.example.com
max_age: 604800
1234567891011121314151617181920212223
# Opportunistic TLS for outbound relay (default)smtp_tls_security_level = maysmtp_tls_loglevel = 1 # Verify certificate (but don't require it to match)smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt # Log TLS connectionssmtp_tls_note_starttls_offer = yes # --- For mandatory TLS to specific domains ---# Use policy maps for per-destination settings # smtp_tls_policy_maps = hash:/etc/postfix/tls_policy # /etc/postfix/tls_policy:# example.com encrypt# sensitive.org verify match=.sensitive.org# .gov dane # "encrypt" = require TLS, any certificate# "verify" = require TLS, verify certificate hostname# "dane" = require DANE-verified certificateRequiring TLS for all destinations would block mail to servers that don't support TLS. Use opportunistic TLS as baseline, with per-domain policies for sensitive destinations. MTA-STS adoption allows recipients to signal TLS requirements without blocking mail from legacy senders.
DANE (DNS-based Authentication of Named Entities) provides cryptographic authentication of mail server TLS certificates using DNSSEC. It solves a fundamental problem: how can a sending server verify it's talking to the legitimate receiving server and not an imposter?
The Problem with Traditional TLS:
With standard TLS, the sender:
But if an attacker compromises DNS, they can redirect traffic to their server with a certificate from any trusted CA (compromise one of 100+ CAs). DNSSEC + DANE closes this gap.
How DANE Works:
TLSA Record Format:
_25._tcp.mail.example.com. IN TLSA 3 1 1 <certificate_hash>
Parameters:
1234567891011121314151617181920
# Step 1: Find MX for domain$ dig MX example.com +short10 mail.example.com. # Step 2: Lookup TLSA record for the MX on port 25$ dig TLSA _25._tcp.mail.example.com +short3 1 1 2BB183AF411D06AE2F9A9B8D3B57F55E9E4287D88B... # Step 3: Verify DNSSEC chain (requires DNSSEC resolver)$ dig TLSA _25._tcp.mail.example.com +dnssec;; flags: qr rd ra ad; # 'ad' = Authenticated Data (DNSSEC verified) # Step 4: Sending MTA connects to mail.example.com:25# Verifies TLS certificate matches TLSA hash# If match: proceed with encrypted transfer# If mismatch: reject connection (possible attack) # Example: Check if domain has DANE$ dig TLSA _25._tcp.mail.ietf.org +short +dnssec3 1 1 0C72AC70B745AC19998811B131D662C9AC69DBDBE7...| Aspect | Consideration |
|---|---|
| Prerequisite | Domain must have full DNSSEC chain (from root to TLSA record) |
| Setup Complexity | Significant — requires DNSSEC infrastructure and maintenance |
| Adoption Rate | Still limited — ~5% of domains as of 2024 |
| Failure Mode | Strict — misconfigured TLSA can block all incoming mail |
| MTA Support | Good — Postfix, Exim, OpenSMTPD support DANE |
| Benefit | Strongest protection against MITM attacks on email |
You can enable DANE validation for sending without publishing DANE records for receiving. This protects your outbound mail to DANE-enabled destinations while not requiring you to maintain DNSSEC. Consider supporting DANE outbound even if not ready for inbound.
Multiple MX records with different priorities provide redundancy. When the primary MX is unavailable, sending servers automatically route mail to backup servers. Understanding this mechanism is essential for reliable email infrastructure.
How Backup MX Works:
example.com. IN MX 10 primary.example.com.
example.com. IN MX 20 backup1.example.com.
example.com. IN MX 30 backup2.example.net.
| Architecture | Description | Pros | Cons |
|---|---|---|---|
| Store-and-Forward | Backup accepts and queues mail, forwards when primary recovers | Simple; survives long outages | Spam may accumulate; security policies may differ |
| Failover Cluster | Backup is a replica of primary with shared queue | Consistent policies; fast failover | Complex; requires synchronization |
| Cloud MX Backup | Third-party service (e.g., MXGuardian) handles backup | No infrastructure to maintain | Trust third party with all mail |
| SMTP Load Balancer | Single IP with health checks to multiple backends | Transparent failover; same priority | Single point of failure at LB |
Security Concerns with Backup MX:
Backup MX servers are high-value targets for attackers because:
Best Practices for Backup MX:
An improperly secured backup MX is often the weakest link in email security. Many attacks specifically target backup servers because they're assumed to have weaker filtering. If you can't properly secure a backup MX, consider not having one.
When a relay attempt fails, the sending MTA must decide: retry later, or give up and notify the sender? This decision affects user experience, server resources, and spam handling.
Temporary Failures (4xx) — Retry:
Temporary failures indicate the receiving server couldn't handle the message right now but might succeed later:
Retry Behavior:
| Retry # | Delay | Cumulative Time | Notes |
|---|---|---|---|
| 1 | 5 minutes | 5 min | Quick retry for transient issues |
| 2 | 10 minutes | 15 min | Still likely transient |
| 3 | 30 minutes | 45 min | May be recovering from outage |
| 4 | 1 hour | 1.75 hr | Longer backoff |
| 5 | 2 hours | 3.75 hr | Becoming an extended issue |
| 6-12 | 4 hours | ~24+ hr | Daily attempts |
| Final | — | 5-7 days | Give up, generate bounce (DSN) |
Permanent Failures (5xx) — Bounce Immediately:
Permanent failures indicate the message can never be delivered and should not be retried:
Delivery Status Notification (DSN / Bounce):
When giving up, the MTA generates a DSN (bounce message) sent to the envelope sender (MAIL FROM address):
From: MAILER-DAEMON@sender.example.org
To: alice@sender.example.org
Subject: Undelivered Mail Returned to Sender
This is the mail delivery agent at sender.example.org.
I was unable to deliver your message to the following address:
<unknown@receiver.com>:
550 5.1.1 User unknown
--- Original message follows ---
[First ~50KB of original message]
DSN Security Considerations:
Backscatter Problem: Spammers forge sender addresses. When spam bounces, the DSN goes to the forged (innocent) address. This "backscatter" is itself a form of spam/DoS.
Mitigation Strategies:
MAIL FROM:<>) except for legitimate DSNsThe best practice is to perform as much validation as possible during the SMTP transaction (RCPT TO phase). If you can reject then, no bounce is needed—the sending server's responsibility to notify the sender. Only generate DSNs for failures discovered after accepting a message.
We've comprehensively explored mail relay—the mechanism that routes email across the Internet from organization to organization. Let's consolidate the critical knowledge:
reject_unauth_destination and similar policies are critical to prevent spam relay abuseWhat's Next:
With relay mechanisms understood, we turn to SMTP Extensions (ESMTP)—the evolutionary enhancements that have kept SMTP relevant for 40+ years. We'll explore the EHLO negotiation mechanism and key extensions including AUTH, STARTTLS, SIZE, 8BITMIME, SMTPUTF8, and the emerging standards that continue to improve email security and functionality.
You now understand mail relay comprehensively—from MX lookups and authorization policies to multi-hop routing, TLS security, backup MX design, and bounce handling. This knowledge enables you to configure, troubleshoot, and secure mail relay infrastructure.