The email journey step by step
Email delivery involves more distinct systems than most users realize. Here is what happens between pressing Send and the message appearing in someone's inbox:
- Your mail client (MUA — Mail User Agent) submits the message to your outgoing mail server (MSA — Mail Submission Agent) on TCP port 587 using SMTP with AUTH credentials. Port 587 with STARTTLS is the modern standard for client-to-server submission; port 25 is reserved for server-to-server relay.
- The MSA hands the message to an MTA (Mail Transfer Agent), which performs a DNS MX lookup for the recipient domain to find the destination mail server.
- The sending MTA connects to the recipient MTA on port 25 and delivers the message over SMTP. Each server that handles the message prepends a Received header, creating a traceable delivery log.
- The recipient MTA passes the message to an MDA (Mail Delivery Agent), which stores it in the user's mailbox — either in Maildir format on disk or a database.
- The recipient's mail client retrieves the message using IMAP (port 993 with TLS) or POP3 (port 995). IMAP leaves messages on the server and synchronizes state across devices; POP3 typically downloads and deletes, leaving only one device with the message.
Protocols and Records
| Component | Job | Where it appears |
|---|---|---|
| SMTP | Sends mail to servers | Outbound mail and server-to-server delivery |
| IMAP | Synchronizes mailbox contents | Mail apps across devices |
| POP3 | Downloads messages | Older or simple mail setups |
| MX record | Identifies mail servers for a domain | DNS |
| SPF | Lists allowed sending sources | DNS TXT record |
| DKIM | Signs messages cryptographically | DNS public key and message header |
| DMARC | Defines policy for authentication failures | DNS TXT record |
DNS MX record lookup
When a mail server needs to deliver to user@example.com, it queries DNS for the MX records of example.com. MX records include a priority value — lower numbers are tried first. A domain can have multiple MX records for redundancy:
10 mail1.example.com— primary, tried first20 mail2.example.com— fallback if primary is unreachable30 mail3.example.com— tertiary fallback
If the primary server is unavailable, the sending MTA tries the next priority level and queues the message for retry. This redundancy is why email survives server outages that would break real-time services.
Received headers and the relay chain
Each SMTP server that handles a message prepends a Received header. Reading headers from bottom to top traces the message's path: the bottommost Received header was added by the first server (your outgoing MTA), and the topmost by the last server before delivery to the mailbox. Timestamps in Received headers reveal where delays occurred — a gap of several minutes between two headers often indicates a spam filter queue or a greylisting delay at that hop.
Email authentication: SPF, DKIM, and DMARC
SPF (Sender Policy Framework) is a DNS TXT record that lists the IP addresses and hostnames authorized to send email for your domain. A receiving server checks whether the sending IP matches the domain's SPF record. Example: v=spf1 include:_spf.google.com ~all authorizes Google's servers to send for the domain. The ~all means "soft fail" anything else; -all means "hard fail."
DKIM (DomainKeys Identified Mail) adds a cryptographic signature to outgoing messages. The sending server signs specified headers and the message body using a private key; the public key is published in DNS under a selector subdomain (e.g., selector1._domainkey.example.com). The receiving server fetches the public key and verifies the signature, confirming the message was not tampered with in transit and was sent by someone with access to the private key.
DMARC (Domain-based Message Authentication, Reporting and Conformance) ties SPF and DKIM together with a policy. The domain owner publishes a DMARC record specifying what to do when a message fails both SPF and DKIM alignment: p=none (monitor only), p=quarantine (deliver to spam folder), or p=reject (refuse delivery). DMARC also enables reporting: receivers send aggregate reports of authentication results back to the domain owner, making it possible to detect spoofing attempts.
Spam filtering pipeline
Authentication checks are just the first layer. Modern spam filters run multiple checks in sequence: IP reputation (is this sending IP on known blocklists?), content analysis (spam trigger words, suspicious HTML structures, misleading links), attachment scanning (malware signatures, executable types), Bayesian filtering (statistical comparison against known spam and ham), and behavioral signals (complaint rates, unsubscribe rates, engagement history). A message can pass all authentication checks and still land in spam if the content pattern, sending infrastructure reputation, or recipient behavior signals indicate it as unwanted.
Email at rest and end-to-end encryption
Once delivered, email is stored server-side in your mailbox. IMAP clients access it on demand; the provider controls the storage and can read it. Server-side storage means quotas, search indexes, and access from any device — but also means the provider has access. End-to-end encryption addresses this: S/MIME uses X.509 certificates to sign and encrypt messages, with the recipient's public certificate used to encrypt and only their private key able to decrypt. OpenPGP/GPG uses a web-of-trust key model rather than certificate authorities. Both approaches work but require both sender and recipient to have set up keys in advance — the coordination burden is why end-to-end encrypted email remains rare outside security-focused users and organizations.
Why Email Is Store-and-Forward
Email is built to survive temporary failures. If the recipient server is unavailable, the sender's mail server queues the message and retries — typically for up to 5 days — before giving up and sending a bounce. This is fundamentally different from real-time chat, which requires both parties to be reachable simultaneously through a live service.
Frequently Asked Questions
What protocol sends email?
SMTP sends email between clients and servers and between mail servers. IMAP and POP3 are used to retrieve or synchronize messages after delivery.
What does an MX record do?
An MX record tells sending mail servers which mail servers accept email for a domain and the priority order to try them.
Why does email sometimes go to spam?
Spam placement can be caused by poor sender reputation, missing or failing SPF/DKIM/DMARC checks, suspicious content, bad links, user complaints, or recipient filtering policy.