DEV Community

Cover image for WordPress Email Handbook 2023
Felix Mellitzer for Omniploy

Posted on • Edited on • Originally published at omniploy.com

WordPress Email Handbook 2023

For most of us, email is a way to communicate over the internet. In this article, you’ll find out why you as a WordPress developer should consider learning more about email.

Email in a Nutshell

In the simplest form, people use electronic devices (the e in email), to exchange messages (mail) – email. 1971 – the first email ever was sent between two computers over the so-called ARPANET. The ARPANET was the early internet.

Today email is still the number one way of communication with over 4 billion people participating. In comparison to WhatsApp has “only” about 2 billion active users.

Structure of an email

The famous “@” separates the alias from the domain name. The domain is owned by somebody, which in turn controls where emails go. For example, emails to @gmail.com addresses will go to the Google Mail servers because the MX records point there.

How does an email get from sender to receiver?

If you send an email, it doesn’t go directly from your computer to the receiver’s computer. The key to communication is the so-called client-server principle. One distinguishes between an incoming mail server and an outgoing mail server.

The difference between the incoming mail server and the outgoing mail server is that email was invented in order not to be always connected to the internet. Check out the history of email if you are interested.

As a result, you need two servers – an incoming mail server and an outgoing mail server. The outgoing mail server is required to send emails. To receive and save emails, you need an incoming mail server. However, most mail server applications nowadays do both.

The entire email communication relies on the protocols SMTP, POP, and IMAP.

Simple Email sending Process

In a standard scenario, as soon you hit the send button, your email client (Mail User Agent, MUA) sends the mail to the outgoing mail server (Mail Transfer Agent, MTA) with SMTP. Your mail server in turn sends the email with SMTP to your receiver’s MTA. Because the MTA can’t send the mail to the receiver directly, it moves the email to the mail inbox server (Mail Delivery Agent, MDA). Now the receiver’s email client (MUA) collects the email via POP or IMAP.

I guess most of us today use web clients. With a web client, you can access your email using a standard web browser like Google Chrome, all you need is an internet connection. The most common webmail providers are probably Gmail and outlook.

Web clients use HTTP to access, manage, and send emails. Your web client is like an interface that lies on the server.

The sending process changes a bit. Instead, your email client sends the email with SMTP to your MTA, your web client sends it with HTTP(s) to your MTA.

After your SMTP server gets an email from your email client, the SMTP server is responsible for sending the email to the receiver’s SMTP Server. DNS plays a key role here. DNS servers provide so-called MX-Records (Mail Exchange Records). MX records tell your mail server the receiving mail servers for a particular domain.

MX-Records from google.com

When you send an email, your SMTP server sends an MX DNS request to a DNS server, which response with the addresses of the hostnames of the receiving mail servers.

This can be one or multiple. The “Preference” indicates the importance. The lower the number, the higher the priority. The server then makes an IP DNS lookup to get the IP addresses of the receiving mail servers and tries to send the email to these hosts according to the preference order.

Which protocols are used?

Simple Mail Transfer Protocol (SMTP)

SMTP is the communication protocol that is mostly used for sending emails between SMTP servers. If you use an email client, you also send with SMTP to your SMTP server, but if you use a web client you send with HTTP.

When we talk about email, we mostly talk about SMTP. This is the key protocol for sending emails.

More on SMTP later.

Post Office Protocol (POP)

POP is also a protocol for communication. The main purpose of POP is to collect emails from the mail inbox server. The most recent version is POP3, which was released in 1988, so if anyone talks about POP, he is for sure meaning POP3.

Not everyone who is using email is constantly connected to the internet. Every email needs to be cached on the device. Your email client can use POP3 to collect emails from the mail server (mail inbox server) as soon as you are connected.

If you want to access your emails from more than one client, for example, your smartphone, POP3 is not an optimal solution. This is because POP3 only allows you to collect and delete emails. POP does not support moving or copying emails.

Internet Message Access Protocol (IMAP)

IMAP has fundamentally the same purpose as POP3, but IMAP has more functionality. Over IMAP, you can, in contrast to POP, create, delete, rename, mark as read, and check if new emails have arrived. With IMAP, you can manage the emails on your mail server and all emails stay on the server.

Having multiple email clients is with IMAP not a problem anymore. You can access your mail server from multiple email clients and have the same state on all of them. IMAP synchronizes everything between the email clients.

POP vs IMAP

The main difference between POP and IMAP is the functionality. Today, most of the time IMAP is used. This is because, in the “always online” age, we use multiple email clients (PC, Laptop, Phone, etc.) to access and manage our emails.

POP vs IMAP

SMTP

As I introduced earlier, SMTP is the main communication protocol, when we talk about email. SMTP is the communication protocol between your email client and your SMTP server (outgoing mail server) and between your SMTP server (MTA) and your receiver SMTP server (MTA).

Status codes

On every STMP communication, whether client-server or server–server, SMTP always responds with a status code.

A standard communication between the client and the SMTP server would look like this:

SMTP communication with status codes

SMTP has more status codes. These status codes may remind you of HTTP status codes if you are familiar with them.

  • 1XX – The request is accepted but not yet processed
  • 2XX – The request has been completed
  • 3XX – The request is accepted, but more information is needed
  • 4XX – The request was not accepted, if it would be repeated it could work
  • 5XX – The request was not accepted, and the action did not occur

Original SMTP vs Modern SMTP

The original SMTP was born in 1981. At that time, SMTP was only supporting unauthenticated communication. The Internet Mail Consortium (closed in 2002) reported that 55% of mail servers were open relays in 1998, but less than 1% in 2002. An open mail relay is a normal STMP server, but anyone on the Internet can send emails through it.

Today unauthenticated communication would be unimaginable.

The SMTP we know today is ESMTP (Extended Simple Mail Transfer Protocol). ESMTP was defined in 1995. With a few extensions (E)SMTP becomes the mail standard used today.

For example, the email client identifies itself at the SMTP server with HELO (originally), but if the SMTP server is supporting ESMTP it identifies with EHLO. The major extensions of ESMTP are authentication from the email client, encryption, and attachments.

Which ports is SMTP using?

There are a lot of ports you can use to send with SMTP. The main ports are 25, 465, 587, and 2525. Which should you use?

25 is the standard SMTP port but this port doesn’t get used often anymore. Port 25 is used for unencrypted SMTP connections. This poses a security threat and therefore many Internet Service Providers block port 25. Today port 25 is mostly used between SMTP Servers.

Since RFC 8314 port 465 and 587 are both valid ports for encrypted SMTP communications. Fun fact: Port 465 was never officially ratified for SMTP transmission by the IETF. Instead, the IANA, which maintains the core internet infrastructure registered port 465 for SMTPS. Port 465 is used for SMTP over Secure Sockets Layer (SSL) or TLS.

On the other hand, port 587 uses STARTTLS for encrypted communication. Port 587 also follows the guidelines set by the IETF.

Many people are using port 2525, but this port is not recommended by the IETF nor IANA. Port 2525 is like an unofficial alternative to port 587.

Long story short, I would use the SMTP ports in that order:

  • 465: Implicit SSL/TLS encryption
  • 587: STARTTLS is more vulnerable for downgrade attacks than implicit SSL/TLS
  • 25: For sending emails between mail servers
  • 2525: Only to use if every other port is blocked

On the picture below, I sent myself an email with a telnet client. I sent a request to my mail server “telnet work-mx.app.hey.com 25” the 25 is the port we address. As an answer, I got a 220 status code, which stands for “Service ready.” Also, the server answers with ESMTP Postfix. We already know that ESMTP is Extended SMTP and Postfix is the email server.

After this, I start the SMTP session with the keyword “EHLO” (not HELO, because we use ESMTP) and my identification. Now the mail server answers with a few 250 status codes. These are just information for the email client.

Finally, I tell the SMTP server from whom the email is coming and to whom it’s going, write the email, and send it.

PS C:\Users\felix> telnet work-mx.app.hey.com 25
220 work-mx.app.hey.com ESMTP Postfix
EHLO tfm.agency
250-haystack-mail-work-inbound-postfix-2.localdomain
250-PIPELINING
250-SIZE 39146841
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 CHUNKING
MAIL FROM:<hello@tfm.agency>
250 2.1.0 Ok
RCPT TO:<hello@tfm.agency>
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
Hi, have you already tried omniploy for your WordPress websites?
.
250 2.0.0 Ok: queued as 0CF4D3D
QUIT
221 2.0.0 Bye

Connection to host lost.
Enter fullscreen mode Exit fullscreen mode

Spam

We all know spam. Spam is if someone sends unsolicited emails in bulk. But do you know how much spam is around the world?

Email spam statistics reveal 47.3% of all emails in 2020 were spam. (Spam Statistics 2021 | 99firms)

That is almost every second email – that’s huge. But that’s not all.

94% of malware is delivered via email.

So, spam is not just annoying, but it could also be dangerous. A good question would be how to protect our WordPress websites from spam?

How does spam protection work?

First, email is a big and complex topic. You can never block every single spam mail that is coming into your inbox. But if you set up your security protocols properly, you can minimize the risk of getting spam or that anybody can spam from your domain.

What are DKIM, DMARC, SPF?

There are three well-known authentication methods to prove to Internet Service Providers and mail services that the sender is truly authorized to send emails from a particular domain.

Sender Policy Framework (SPF)

SPF is an email authentication method. It indicates which mail servers are authorized to send emails from a particular domain using a TXT DNS record.

If you want to set up an SPF record in your DNS records, you need to create a TXT record and define which servers are allowed to send emails. An SPF record example looks like this:

Example of an SPF Record

You define who can send emails with your domain. As we can see in the example above, you can add IP addresses and third-party organizations that are allowed to send your emails. In the end, you can see the end mechanism ~all.

It’s for setting the permissions. There could be other tags as well, but this must be at the end!

  • -all: Error, all servers who are not listed in the SPF record are not authorized to send emails (emails will be rejected)
  • ~all: Soft error, all emails from not listed server will get sent but marked
  • +all: This tag allows any server to send emails from your domain. (Not Recommended)

Process of SPF Check

DomainKeys Identified Mail (DKIM)

DKIM makes sure that nothing is tampered with between the mail servers.

This is possible because DKIM utilizes asymmetric encryption to sign messages before they are sent. A public/private key pair is generated on your SMTP server. The public key is set in your DNS as a TXT-Record. Now, every email you send through your SMTP server is signed with your private key. For creating the signature, DKIM uses the Hash function SHA-256. This hash will be signed with RSA (cryptographic process). On Socketlabs you can generate a DKIM for yourself.

When the receiving mail server gets an email from you, it verifies the signature in your email header with the public key in your DNS.

Process of DKIM Check

Domain-based Message Authentication, Reporting & Conformance (DMARC)

DMARC builds on SPF and DKIM to validate emails further by matching the validity of SPF and DKIM records. This enables you to set policies and get generated reports in case the DMARC validation fails.

And as well as with SPF and DKIM, DMARC is a TXT-Record in the DNS.

Process of DMARC Check

These are the three main methods to prevent spam emails. To protect yourself and others, you should implement all of these in your mail infrastructure.

If you send your WordPress transactional emails over Omniploy, we will take care of all of that, so you don’t have to.

DNS-based Blackhole List (DNSBL)

Let’s make a short introduction to DNSBLs. These are blacklists for suspicious IPs. Most DNSBLs contain IP Addresses, which were used for spamming. Good Anti-spam infrastructure can evaluate the Blacklists and react to malicious email transfer – and that in real-time.

Technically this is not a big deal. This is just a simple DNS request.

Process of DNSBL Check

Let’s make a test with the DNSBL from spamhaus.org. To get the IP-Address from omniploy.com, I make a nslookup (name server lookup).

PS C:\Users\felix> nslookup omniploy.com
Server: one.one.one.one
Address: 1.1.1.1

Non-authoritative answer:
Name: omniploy.com
Address: 116.202.215.49
Enter fullscreen mode Exit fullscreen mode

Now I know my IP-Address and can check if my IP-Address is in the DNSBL.

PS C:\Users\felix nslookup 116.202.215.49.zen.spamhaus.org
Server: one.one.one.one
Address: 1.1.1.1

*** one.one.one.one can't find 116.202.215.49.zen.spamhaus.org: Non-existent domain
Enter fullscreen mode Exit fullscreen mode

Luckily our IP-Address is not found (that would be a surprise). But to get an example for a blocked IP-Address, I just go into my spam folder and look from which domain the spam emails get sent.

I took the first domain and made a nslookup to get the IP-Address and check if the IP-Address is listed in the DNSBL.

PS C:\Users\felix> nslookup 123.126.96.181.zen.spamhaus.org
Server: one.one.one.one
Address: 1.1.1.1

Non-authoritative answer:
Name: 123..126.96.181.zen.spamhaus.org
Address: 127.0.0.11
Enter fullscreen mode Exit fullscreen mode

The answer is 127.0.0.11. According to spamhaus.org this is a blocked IP-Address.

spamhaus status codes

If your mail server uses the DNSBL from spamhaus.org, every email sent by this IP-Address would land in the spam folder. (just like with me)

DNSBLs have a few pros and cons. The main advantage is that spammers get detected and blocked.

But on the other hand, if you are on a shared mail server and another person on this server sends spam, you are also affected, even if you don’t spam. This would be a false-positive result.

This is also the reason why we’d always recommend going with hosting packages with dedicated IPs instead of shared ones.

Conclusion

If you have read this far, you should now have a good overview of how email works, this knowledge helps you to understand why your WordPress websites may have problems with email. As you can see that a lot of steps are required to send a simple email.

If you have learned something useful, feel free to share this article with others.

Top comments (0)