We’re going to go over what SMTP is, whether it’s truly secure enough (or if it’s too vulnerable), how to better secure it with SMTPS, and what ports you’ll need to use.
What is the difference between SMTPS and SMTP?
SMTPS uses additional SSL or TLS cryptographic protocols for improved security compared to SMTP.
By default, the SMTP protocol lacks encryption and can be used to send emails without any protection in place. This leaves emails over SMTP susceptible to man in the middle attacks and eavesdropping from bad actors while messages are in transit.
SMTPS utilizes either TLS or SSL to secure email communications using asymmetric cryptography. The main takeaway is that SMTP is susceptible to attacks while SMTPS uses TLS for email to provide a secure connection.
Email that is not secured using SMTPS is vulnerable to a series of attacks that can modify the contents of a message or reroute that message to an attacker before being passed on to the intended recipient.
Attackers exploit the unencrypted communications by injecting their own malicious SMTP commands into data as it is transmitted from a server. These types of attacks can be used to send spam from the vulnerable domain, steal sensitive information silently, or to conduct phishing attacks.
You can secure SMTP by enabling TLS on your mail server. By enabling TLS, you are encrypting the SMTP protocol on the transport layer by wrapping SMTP inside of a TLS connection. This effectively secures SMTP and transforms it into SMTPS.
Port 587 and 465 are both frequently used for SMTPS traffic. Port 587 is often used to encrypt SMTP messages using STARTTLS, which allows the email client to establish secure connections by requesting that the mail server upgrade the connection through TLS.
Port 465 is used for implicit TLS and can be used to facilitate secure communications for mail services. According to the IETF this is preferred over using STARTTLS on port 587.
Lastly, port 2525 is sometimes also used. Some residential ISPs will block port 25 to stop users from running their own mail servers. To combat this, enthusiasts and small home businesses use port 2525.
Users can verify that their email client has SMTP enabled by checking their client settings. Outlook users can verify this by doing the following:
Click on File > Accounting Settings. Then open the Account Settings box.
Choose your email from the Email tab, then click the Change icon. In the Server Information section, ensure that the Outgoing Mail server is set to your mail server address.
Under the Outgoing Mail tab, ensure that “SMTP requires authentication” is checked.
You can verify the ports your mail client is using by checking on the Advanced tab.
System administrators can enable SMTPS through the settings on their SMTP connector. This step will vary depending on which mail server you are running. When configuring the SMTP connector, there are options for setting the authentication type, where TLS will be an option.
You can check to see if your emails are being sent securely by viewing the headers of the email in question. This can be done in most modern email clients. In Outlook, this can be done by doing the following:
Open the email you wish to check the security of.
Navigate to File tab > Properties. This will open up the email header information which will contain transmission information, including encryption details if they are being applied.
For Gmail users the process is a bit easier. To check if the email is being sent via SMTPS simply open the email in question and click the small arrow next to your name underneath the sender’s address. You should see something like this:
The security tab will provide details about the type of encryption used to secure the email, along with the domain that signed the certificate above it.
SMTPS plays a key role in email security, but it can’t protect against all email-based threats. Emails using SMTPS are protected against:
● Man in the middle attacks
● Messages being read by attackers while in transit
● Messages being forwarded to attackers
● Phishing attacks that use lookalike domains
● Malicious attachments that contain viruses
● Links inside of emails that redirect to malicious sites
● Emails that use social engineering to trick recipients into sharing sensitive information
● Servers sending spoof emails from domains that they do not control
SMTPS keeps messages in transit secure from prying eyes. But what about spoofing, phishing, spam? Let’s take a quick look at a few email standards you can deploy to protect your email and domain.
Sender Policy Framework (SPF): Helps recipients of your messages verify that messages from your domain are in fact coming from you. SPF tells the world which servers you send email from. If a message is sent from your domain that does not originate from these servers, the SPF check fails.
DKIM (Domain Keys Identified Mail): Provides an extra layer of email authentication by giving the messages a digital signature. This helps prevent messages from being tampered with while in transit.
Domain-based Message Authentication Reporting and Conformance (DMARC): Is a technical specification that authenticates messages by aligning SPF and DKIM capabilities. Having DMARC fully implemented on your domain is one of the best ways to protect your brand from impersonation
Brand Indicators for Message Identification (BIMI): Provides domains that already use DMARC for authentication an extra layer of protection that displays their brand logo in email messages. This helps recipients visually identify when an email is legitimate, and helps companies build additional brand awareness through email campaigns.
Agari Email Protection uses SMTPS as well as DMARC to encrypt email messages and prevent attacks from spoofed domains. TLS and DMARC prevents inboxes from receiving fake emails from companies who have had their email spoofed.
Phishing attacks that use lookalike domains trick unsuspecting recipients into clicking links or sending sensitive information by pretending to be a trusted sender. These attacks can occur directly over a SMTPS connection since they don’t need to abuse a lack of encryption in order to succeed.
By combining SMTPS with Agari’s Advanced Email Protection, organizations can deploy an email security strategy that stops email-based attacks on all levels. For email protection that goes beyond SMTPS, see how Agari Phishing Defense works in action, or sign up for a free trial to experience the difference for yourself.