- An email passes through 6-8 distinct systems between clicking "send" and reaching the recipient's inbox: MUA, MSA, sending MTA, DNS/MX lookup, receiving MTA, authentication checks, spam filters, and MDA.
- The SMTP protocol governs communication between mail servers, using a specific handshake sequence (HELO/EHLO, MAIL FROM, RCPT TO, DATA) that has remained fundamentally unchanged since 1982.
- Every receiving server performs three categories of checks before delivering: authentication (SPF, DKIM, DMARC), reputation (IP and domain history), and content analysis (spam scoring).
- A "delivered" email is one that was accepted by the receiving server. It says nothing about whether the message reached the inbox, the promotions tab, or the spam folder. That final decision happens after SMTP delivery completes.
Email feels instant. You click send, and seconds later a message appears in someone else's inbox halfway around the world. But between that click and that appearance, your message passes through a chain of systems, protocols, and decisions that most senders never see.
Understanding this chain is not academic. Every deliverability problem, every spam folder placement, every bounced message traces back to a specific step in this process. When you know how the system works, you know where to look when it breaks.
The Cast of Characters
Before tracing the journey, here are the key systems involved:
| Component | Full Name | Role | Example |
|---|---|---|---|
| MUA | Mail User Agent | The email client the user interacts with | Gmail web, Outlook, Thunderbird, Apple Mail |
| MSA | Mail Submission Agent | Accepts outgoing mail from the MUA, validates formatting | Your ESP's submission endpoint (port 587) |
| MTA | Mail Transfer Agent | Routes and relays email between servers via SMTP | Postfix, Exim, Microsoft Exchange, SendGrid |
| DNS | Domain Name System | Resolves domain names to IP addresses and mail server records | MX, SPF TXT, DKIM TXT, DMARC TXT records |
| MDA | Mail Delivery Agent | Deposits the message into the recipient's mailbox | Dovecot, Gmail's internal delivery system |
| MUA (again) | Mail User Agent | The recipient's client retrieves and displays the message | Gmail app, Outlook, Apple Mail |
Step 1: Composing and Submitting the Message
When you compose an email in your mail client (the MUA), your client builds a structured message with two distinct parts:
- The envelope: Contains the SMTP-level routing information, specifically the envelope sender (MAIL FROM) and the recipient address (RCPT TO). This is like the address written on a physical envelope.
- The message: Contains the headers (From, To, Subject, Date, Message-ID, MIME type) and the body (your actual content). This is like the letter inside the envelope.
The envelope and the message are separate. The From address displayed to the recipient (in the message headers) can differ from the envelope sender (used for routing and bounces). This separation is by design, but it is also what makes spoofing possible, which is why authentication protocols like DMARC exist to verify that these identities align.
Your MUA connects to the Mail Submission Agent on port 587 (or 465 for implicit TLS) using authenticated SMTP. The MSA verifies your credentials, validates the message format, and passes it to the outbound MTA for delivery.
Port 25 was originally used for all SMTP communication, but it is now reserved for server-to-server (MTA-to-MTA) traffic. Client-to-server submission uses port 587 (STARTTLS) or port 465 (implicit TLS). Many ISPs block outbound port 25 from consumer connections to prevent spam from infected machines.
Step 2: The DNS Lookup
The sending MTA needs to know where to deliver the message. It extracts the domain from the recipient's address (e.g., "example.com" from user@example.com) and queries DNS for the domain's MX (Mail Exchange) records.
MX records specify which servers accept email for a domain, along with priority values:
example.com. IN MX 10 mail1.example.com.
example.com. IN MX 20 mail2.example.com.The sending MTA tries the server with the lowest priority number first (mail1). If that server is unreachable or returns a temporary error, it falls back to the next priority (mail2). If no MX record exists, the MTA falls back to the domain's A record as a last resort.
The MTA then resolves the MX hostname to an IP address (via A/AAAA records) and establishes a TCP connection to port 25 on the receiving server.
Step 3: The SMTP Handshake
Once the TCP connection is established, the two servers perform an SMTP handshake. This is a structured conversation that has remained fundamentally the same since RFC 5321 (and its predecessor RFC 821, published in 1982):
Receiving: 220 mx.example.com ESMTP ready
Sending: EHLO sender.example.org
Receiving: 250-mx.example.com Hello
250-SIZE 52428800
250-STARTTLS
250 OK
Sending: STARTTLS
Receiving: 220 Ready for TLS
[TLS negotiation happens here]
Sending: MAIL FROM:<bounce@sender.example.org>
Receiving: 250 OK
Sending: RCPT TO:<user@example.com>
Receiving: 250 OK
Sending: DATA
Receiving: 354 Start mail input
Sending: [Headers and body of the message]
.
Receiving: 250 OK, message queued
Sending: QUIT
Receiving: 221 ByeSeveral important things happen during this handshake:
- EHLO/HELO: The sending server identifies itself. The receiving server checks whether the HELO/EHLO hostname resolves and matches the connecting IP. Mismatches can trigger spam scoring.
- STARTTLS: If both servers support TLS, they negotiate an encrypted connection. In 2026, most major providers require or strongly prefer TLS for inbound connections.
- MAIL FROM: This sets the envelope sender (also called the Return-Path). Bounce notifications go to this address.
- RCPT TO: Specifies the recipient. The receiving server can accept or reject at this point (e.g., if the address does not exist, returning a 550 error).
- DATA: The full message (headers + body) is transmitted. The receiving server accepts it into its queue and returns a 250 confirmation.
Tip: The 250 response after DATA means the receiving server accepted the message into its processing queue. It does not mean the message reached the inbox. Post-acceptance filtering (spam checks, reputation evaluation) happens next, and can still result in spam folder delivery or silent discard.
Step 4: Authentication Checks
After accepting the message, the receiving server performs authentication checks. These happen in a specific order and each checks something different:
SPF (Sender Policy Framework)
The receiving server looks up the SPF TXT record for the domain in the MAIL FROM (envelope sender). This record lists which IP addresses are authorized to send for that domain. If the sending server's IP is not in the list, SPF fails.
DKIM (DomainKeys Identified Mail)
The receiving server reads the DKIM-Signature header in the message, extracts the selector and domain (d= and s= values), looks up the corresponding public key in DNS, and verifies the cryptographic signature. If the signature does not match, the message was altered in transit or the DKIM key is wrong.
DMARC (Domain-based Message Authentication, Reporting, and Conformance)
DMARC ties SPF and DKIM together with alignment: the domains authenticated by SPF or DKIM must match the domain in the visible From header. If neither SPF nor DKIM passes with alignment, DMARC fails, and the receiving server follows the domain's published DMARC policy (none, quarantine, or reject).
Step 5: Reputation and Spam Filtering
Authentication tells the receiving server who sent the message. Reputation tells it whether that sender is trustworthy. These are separate questions.
The receiving server evaluates sender reputation using signals including:
- IP reputation: The sending IP's history of spam complaints, spam trap hits, and volume patterns.
- Domain reputation: The sending domain's historical engagement (opens, clicks, complaints, unsubscribes).
- Content analysis: SpamAssassin scores, Bayesian classification, machine learning models that analyze the message text, links, HTML structure, and attachments.
- Engagement history: How have this sender's previous messages performed with this specific recipient and with the provider's broader user base?
- Blocklist checks: Is the sending IP or domain listed on any DNSBL (DNS-based blocklist)?
Each mailbox provider uses its own proprietary blend of these signals. Gmail weights engagement heavily. Microsoft emphasizes IP reputation and content analysis. Yahoo uses a combination of both. The exact algorithms are not public, but the input signals are well-documented.
Step 6: The Final Delivery Decision
Based on the combined results of authentication, reputation, and content analysis, the receiving system makes a final delivery decision:
- Inbox (Primary): The message is trusted and delivered to the main inbox.
- Category/Tab: The message is legitimate but categorized (Gmail's Promotions, Updates, or Social tabs; Outlook's "Other" inbox).
- Spam/Junk: The message passed enough checks to be accepted but is flagged as unwanted.
- Silent discard: Some providers accept the message (returning 250 OK) but silently drop it without delivering to any folder. This is rare but does happen for known spam sources.
The Mail Delivery Agent (MDA) handles the physical storage of the message into the recipient's mailbox. For consumer providers, this is a highly distributed storage system. For on-premises servers, it might be Dovecot or a Microsoft Exchange mailbox store. The recipient's MUA then retrieves the message via IMAP or a proprietary API for display.
When debugging deliverability issues, work backward through the chain. First, check if the message was accepted (SMTP logs). Then check authentication (SPF, DKIM, DMARC results in the email headers). Then check reputation (Google Postmaster Tools, Microsoft SNDS). Finally, check content (spam scoring). Each step narrows the possible cause.
When Things Go Wrong: Where Failures Happen
Bounce at SMTP Level
If the receiving server rejects the message during the SMTP handshake (e.g., invalid recipient, blocked IP), the sending MTA generates a bounce notification (NDR) back to the envelope sender. These are 5xx codes for permanent failures (hard bounces) and 4xx codes for temporary failures (soft bounces/deferrals).
Post-Acceptance Filtering
If the server accepts the message (250 OK) but then routes it to spam, there is no bounce notification. From the sending MTA's perspective, the delivery was successful. This is the most frustrating type of deliverability failure because your logs show success while the recipient never sees the message.
Retry and Queue Management
When a sending MTA receives a 4xx temporary failure (common during throttling or graylisting), it places the message in a retry queue. The MTA will attempt redelivery on an exponential backoff schedule, typically trying every 15 minutes, then 30, then 60, up to 24-72 hours before giving up and generating a permanent bounce.
The Full Picture in One Diagram
Here is the complete flow condensed:
- You click send in your MUA (email client).
- MUA to MSA: Your client submits the message via authenticated SMTP (port 587/465).
- MSA to MTA: The submission agent passes the formatted message to the sending MTA.
- DNS lookup: The sending MTA queries DNS for the recipient domain's MX records.
- MTA to MTA: The sending MTA connects to the receiving MTA on port 25 and performs the SMTP handshake.
- TLS negotiation: If supported, the connection is encrypted via STARTTLS.
- Message transfer: The envelope and message are transmitted. The receiving MTA returns 250 OK.
- Authentication: The receiving server checks SPF, DKIM, and DMARC.
- Reputation and filtering: IP/domain reputation, content analysis, engagement signals, and blocklist checks are evaluated.
- Delivery decision: The message is placed in the inbox, a category tab, spam, or (rarely) silently discarded.
- MDA to mailbox: The Mail Delivery Agent stores the message.
- Recipient reads: The recipient's MUA retrieves and displays the message.
The entire process typically completes in 1-5 seconds for a single message. At scale, sending millions of messages involves connection pooling, queue management, IP rotation, and rate limiting to stay within each receiving provider's acceptance thresholds.
Frequently Asked Questions
SMTP (Simple Mail Transfer Protocol) is used for sending email between servers and from clients to servers. IMAP (Internet Message Access Protocol) is used for retrieving email from a server to a client. SMTP pushes mail outward; IMAP pulls mail inward. Most email systems use both: SMTP for sending and IMAP for reading.
"Delivered" means the receiving server accepted the message at the SMTP level (returned 250 OK). After acceptance, the server can still route it to the spam folder or, in rare cases, silently discard it. Delivered does not mean inbox placement. Use inbox placement testing to determine where your messages actually land.
Port 25 is used for server-to-server SMTP communication (MTA to MTA). Port 587 is the standard for client-to-server email submission with STARTTLS encryption. Port 465 is used for implicit TLS submission. Port 993 is used for IMAP over TLS (email retrieval). Port 143 is unencrypted IMAP, which is deprecated.
Yes. Authentication tells the receiving server who sent the message, but not whether the sender is trustworthy. A properly authenticated email from a domain with poor reputation, high complaint rates, or spammy content will still be filtered to spam. Authentication is necessary but not sufficient for inbox placement.
Under normal conditions, email delivery takes 1-10 seconds. Delays occur when the receiving server returns temporary failures (4xx codes), causing the sending MTA to queue and retry. Graylisting typically adds 5-15 minutes on the first send. Throttling by the receiving provider can delay delivery by minutes to hours for high-volume senders.