Can You Trust Email Senders? Understanding SMTP's Weaknesses & Why DMARC Became Essential

Despite being one of the oldest internet protocols still in daily use, SMTP has some not-so-simple problems that continue to enable spoofing, spam, and fraud.

SMTP—the Simple Mail Transfer Protocol—was designed in an era when trust was assumed, leaving the door open (literally) for spoofing, spam, and fraud. To understand why DMARC was needed, we first have to look at the holes in SMTP and the open relay era that hackers feasted on.

Why It Matters: SMTP's design flaws continue to be exploited today, enabling phishing, spoofing, and costly business email compromises. Knowing its weaknesses helps explain why DMARC is not just another acronym, but a crucial tool for modern email security.

Learning Objectives

By the end of this guide, you'll understand:

  • The fundamental weaknesses in SMTP that make email spoofing possible
  • How open relays once allowed (and sometimes still allow) spammers to hijack mail servers
  • How these legacy issues led to the development of authentication frameworks like DMARC

What Is SMTP and What Are Its Weaknesses?

SMTP (Simple Mail Transfer Protocol) is the protocol used to send email across the internet. First described in 1982 in RFC 821, SMTP was designed in a time when the internet was a small, academic space where users trusted each other. Security? Not a priority.

Here's what SMTP doesn't do out of the box:

  • It doesn't verify the identity of the sender
  • It doesn't ensure the message content hasn't been tampered with
  • It doesn't link what's visible in the "From" field with the actual sending domain

Imagine mailing a letter: with SMTP, you can write any return address you want on the envelope. The post office (SMTP servers) will deliver it without question. Now imagine a criminal writing your name and address on threatening letters. That's email spoofing in a nutshell.

Common SMTP Attack Vectors

  • Envelope/Header Mismatch - SMTP uses two layers: the envelope sender (MAIL FROM) and the header sender (From:). Attackers abuse this by making the envelope benign but forging the visible header
  • No Built-In Authentication - SMTP accepts whatever domain the sender claims. There's no "show me your ID" moment
  • Open Relays - Until the late '90s, most servers allowed anyone to send mail through them. Think of a hotel printer that lets anyone walk in and print anything

Why Was This a Problem?

Because it was cheap and easy to abuse.

In the 1990s, roughly 90% of SMTP servers were open relays. Spammers quickly realized they could send millions of emails from these servers, hiding their real identities. That's why your aunt's dial-up inbox was filled with miracle pills and suspicious bank notices.

Even as spam filters improved, more serious threats emerged:

  • Phishing emails that pass as your boss or your bank
  • Business Email Compromise (BEC), where attackers spoof legitimate domains and trick employees into wiring money
  • Fake invoices, credential harvesting, and malware-laced attachments disguised as internal messages

By the early 2010s, spam made up 85% of all email traffic. And most of it slipped right past basic email defenses.

How Do SMTP Vulnerabilities Actually Work?

Let's break down how attackers exploit the gap between the envelope sender (what servers see) and the header sender (what users see).

Imagine an attacker wants to send an email that appears to come from [email protected]. The attacker controls a different domain, attackers-domain.com, which they have configured with a valid SPF record. Here's what the SMTP conversation looks like:

# The attacker's server connects and introduces itself
EHLO mail.attackers-domain.com

# The attacker uses their *own* domain for the envelope sender
# SPF will check this domain and it will PASS if configured correctly
MAIL FROM:<[email protected]>

# The recipient is the target
RCPT TO:<[email protected]>

# The message data starts
DATA

# The attacker forges the "From" header, which is what the user sees
From: "Company CEO" <[email protected]>
Subject: Urgent: Wire Transfer Request

Please process an urgent wire transfer for $10,000 to our new vendor. Details attached.
.

Here's the critical failure:

  • The receiving mail server performs an SPF check on the MAIL FROM address: [email protected]. Since the attacker controls this domain and its SPF records, the check passes.
  • The victim's email client displays the From: header: "Company CEO" <[email protected]>.

The message appears legitimate, and it passed a key authentication check (SPF), yet it's a complete forgery. This is the exact vulnerability DMARC was designed to close by requiring that the domain in the From: header aligns with the domain in the MAIL FROM (for SPF) or the DKIM signature. Without alignment, a "pass" is meaningless.

How Did Open Relays Contribute?

Open relays were SMTP servers configured to forward any message from anyone to anyone. They didn't ask "who are you?" or "should I let this go through?"

Spammers loved them. They could send thousands of emails via someone else's infrastructure, avoiding blocklists and bouncing responsibility.

Even today, misconfigured servers occasionally behave as open relays, or allow SMTP smuggling—a newer trick that exploits inconsistent command parsing between servers to bypass filters and relay unauthorized mail.

What's a Typical SMTP Configuration and Where Are the Gaps?

Here's a bare-bones Postfix (a popular SMTP server) config snippet:

smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination

Let's break it down:

  • permit_mynetworks - Allows trusted IPs to relay mail
  • reject_unauth_destination - Denies relaying for unknown recipients not served by this server

That's the basic "don't be an open relay" setup. But it doesn't handle identity verification, spoofing protection, or header alignment.

Common Pitfalls and FAQs

1. "I'm not an open relay anymore. I'm safe, right?"

Not entirely. If your domain lacks SPF, DKIM, or DMARC, attackers can still spoof your email in ways your recipients can't detect.

2. "Why didn't SPF and DKIM solve this?"

SPF checks the IP address that sends mail, but only for the envelope sender—not what the user sees. DKIM signs message headers but doesn't require the signing domain to match the "From" address. Both lacked alignment and enforcement.

3. "Is SMTP still dangerous?"

Yes, if left unguarded. Modern attacks exploit its design flaws in subtle ways (like SMTP smuggling). But when paired with DMARC, SPF, and DKIM, it's much safer.

What Came Next?

Because SMTP couldn't evolve quickly, the security community developed add-ons. SPF and DKIM came first. But without enforcement, spoofers still got through.

That's where DMARC entered.

DMARC checks whether SPF or DKIM passed and whether their domains align with the visible "From" address. It then lets the domain owner say, "If this fails, reject it—or at least quarantine it." It also provides reporting, so you can see who's trying to spoof your domain.

Historical Context: Think of SMTP as a legacy building with no locks on the doors. DMARC is the modern security system bolted on to keep impersonators out—and finally let us trust email again.

Next Steps

To dive deeper into how DMARC solves these issues, check out:

Understanding SMTP's weaknesses is the first step in appreciating why modern email authentication protocols were developed. In the next sections, we'll explore how SPF and DKIM attempted to address these issues, and why DMARC was ultimately needed to tie it all together.

Was this page helpful? Send us feedback

← Back to Home Check Your Domain