How Does Email Get Delivered? SMTP, Spam Filters, and SPF/DKIM

4 min read

Send an email and it reaches the other side of the world in seconds. Yet some mail ends up in the spam folder, and now and then you’ve clearly sent something but the recipient says it never arrived. That’s because several invisible stages are hidden in the journey mail takes.

In this post, I’ll unpack, without any code, how email is delivered to the recipient, and why some mail gets classified as spam.

Email is delivered by a post-office relay #

Email doesn’t fly straight from the sender’s computer to the recipient. Along the way, mail servers hand it off one step at a time, like post offices. When you send mail, it first goes to your mail server, and that server finds the recipient domain’s mail server and passes it along. The protocol by which servers exchange mail is called SMTP.

It resembles posting a letter. The letter I drop in the mailbox passes through the local post office, moves to the post office in the recipient’s region, and from there lands in the recipient’s mailbox. Email, too, moves from the sending server to the receiving server before being placed in the recipient’s inbox.

The receiving side checks whether you’re really the sender #

There’s one big difference between a letter and an email: an email’s sender address can be forged with ease. Just as you can write someone else’s name on an envelope, you can craft mail that looks as if it came from your address when it really didn’t. It’s a tactic spam and scam mail commonly use.

So the receiving mail server tries to confirm whether the arriving mail really was sent from that domain. The mechanisms that help with this check are SPF and DKIM, which I’ll explain next.

SPF and DKIM are the sender’s seal #

SPF is a list, published in advance, of “these are the only servers allowed to send mail for this domain.” The receiving server checks whether the arriving mail came from a server on that list. DKIM is a way of attaching a cryptographic signature from the domain to the mail. The receiving server checks that signature to verify that the content wasn’t altered in transit and that it really was sent from that domain.

Both are recorded in that domain’s DNS. When we covered domains and DNS earlier, I described DNS as a signboard holding various information about a domain. SPF and DKIM are items written on that signboard too. So if you skip this setup when you start sending mail from a new domain, even perfectly legitimate mail draws suspicion.

A spam filter judges by a combined score #

Whether something is spam isn’t decided by a single criterion. The receiving server scores it by combining factors: whether it passed sender authentication, what the sending domain’s reputation is, whether the content contains phrasing commonly seen in spam, and whether recipients have reported similar mail. When that score crosses a certain threshold, the message is sent to the spam folder.

So even identical content yields different results depending on which domain sent it. A carefully written marketing email landing in spam is often the result of factors like authentication and reputation working together.

So, to make mail arrive reliably #

To get mail to land in the inbox reliably, the first basic step is to set up SPF and DKIM properly on the domain. Next is reputation. Sending too much mail at once or accumulating frequent spam reports erodes your reputation, and subsequent mail gets pushed to spam too.

Content can’t be ignored either. Clearly offering a way to unsubscribe and sending only to people who asked for it is, in the end, the way to protect your deliverability.

Why this makes work easier for non-developers #

  • You understand sending mishaps. When a query comes in that mail didn’t go through or fell into spam, you can gauge and explain which stage the problem is at.
  • You read setup requests. When a developer says “let’s set up SPF or DKIM,” knowing these are mechanisms that prove the sender makes the conversation faster.
  • You protect marketing mail. Knowing that deliverability depends on authentication and reputation, you can design campaigns that nurture your sender reputation rather than blasting out mail recklessly.

Wrapping up #

Today we looked at how email is delivered by a relay of mail servers, how the receiving side verifies the sender with SPF and DKIM, and how a spam filter judges by combining several factors. The key is that, because a sender can be forged so easily, these verification devices are needed.

If you’re curious about the encryption that protects mail content, read What the Padlock in Your Address Bar Protects; if you’d like to revisit what the DNS that SPF and DKIM are recorded in is, read Domains, DNS, and SSL — Why a Site Suddenly Goes Down.

X