SMTP, ESMTP, and Message Delivery Internals

This page is a practical, protocol-level reference for senior engineers operating outbound and inbound mail systems. It covers state transitions, command semantics, extension negotiation, authentication, queue behavior, deliverability, and production debugging strategies from socket to message queue to DNS policy alignment.

RFC 5321 RFC 5322 RFC 3207 STARTTLS RFC 4954 AUTH SPF / DKIM / DMARC

Canonical Transaction Skeleton

220 → EHLO → STARTTLS → EHLO → AUTH → MAIL FROM → RCPT TO → DATA → 250 → QUIT

1. Protocol Model and Session State Machine

SMTP is line-oriented, request/response, and transaction-scoped. One TCP session may carry multiple transactions, but each transaction has strict envelope boundaries and independent recipient acceptance outcomes.

Connection Phases

Connect: Server sends 220 greeting, optionally with capability hints.
Session setup: Client issues EHLO and parses extension list.
Security/auth: STARTTLS, second EHLO, then AUTH.
Message transaction: MAIL FROM + one or more RCPT TO + DATA/BDAT.
Finalize: RSET for abort/reuse, QUIT to close gracefully.

Envelope vs Headers vs Body

Envelope: Routing metadata in SMTP commands, not necessarily visible to end users.
Headers: RFC 5322 metadata inside DATA, including From, To, Message-ID.
Body: MIME structure and transfer encodings (quoted-printable, base64, etc).
Misalignment between envelope and header identities is common in forwarding and bounce flows.

Key Operational Invariants

Never pipeline commands unless PIPELINING is advertised.
After TLS upgrade, capability set can change; always run EHLO again.
Recipient acceptance is per-recipient. A transaction can be partial-success.
4xx means retry logic; 5xx means permanent failure unless policy says otherwise.

Session open

TCP connect, banner read, timer starts (greeting timeout, inactivity timeout).

Capability phase

EHLO client.example → multiline 250-* capabilities.

Negotiation phase

Optional STARTTLS, then fresh EHLO, then optional AUTH.

Envelope phase

MAIL FROM establishes reverse-path and ESMTP params (SIZE, BODY, SMTPUTF8, RET, ENVID).

Recipient phase

Multiple RCPT TO, each may return distinct status and enhanced code.

Content phase

DATA then dot-terminated stream, or BDAT chunks if CHUNKING is used.

2. SMTP/ESMTP Command Reference (Practical Semantics)

Command behavior is heavily context-dependent. The same command can be valid syntactically but invalid in current state. Most field outages are state or policy errors, not parser errors.

Command	Typical Purpose	Important Edge Cases	Common Failure Signatures
`EHLO`	Announce client identity and request extensions.	Must be repeated after `STARTTLS`; fallback to `HELO` for legacy peers.	`500/502` on legacy server, `501` for malformed argument.
`STARTTLS`	Upgrade plaintext channel to TLS.	Any buffered pipelined commands are invalid once TLS starts.	`454 TLS not available`, certificate name mismatch, chain failure.
`AUTH PLAIN/LOGIN/XOAUTH2`	Authenticate submission client.	Policy often requires TLS first; mechanisms differ across providers.	`535 Authentication failed`, `534 policy requires TLS`.
`MAIL FROM:<...>`	Start transaction with reverse-path and sender params.	Can carry `SIZE`, `BODY=8BITMIME`, `SMTPUTF8`.	`552 message size exceeds fixed limit`, `550 sender rejected`.
`RCPT TO:<...>`	Add recipient to envelope.	Different responses per recipient; keep accepted set and continue.	`450/451` temporary recipient issue, `550/551/553` permanent reject.
`DATA`	Send RFC 5322 message payload.	Dot-stuffing required; server returns final accept/reject only after terminator.	`554 content rejected`, `451 processing error`.
`BDAT`	Chunked body transfer with CHUNKING extension.	No dot-stuffing semantics; chunk sizes must be exact and final chunk flagged.	`500/503` bad chunk sequence, parse mismatch.
`NOOP / RSET / QUIT`	Liveness check, transaction reset, graceful session close.	`RSET` clears envelope state but keeps session and auth context.	Timeout disconnect if peer hung; `221` expected on QUIT.

Raw SMTP examplemanual session over 587

$ openssl s_client -starttls smtp -crlf -connect smtp.example.net:587
220 smtp.example.net ESMTP ready
EHLO edge01.ops.example
250-smtp.example.net
250-PIPELINING
250-SIZE 52428800
250-8BITMIME
250-STARTTLS
250 AUTH PLAIN LOGIN
STARTTLS
220 2.0.0 Ready to start TLS
... TLS handshake ...
EHLO edge01.ops.example
250 AUTH PLAIN LOGIN
AUTH PLAIN AHVzZXJAZXhhbXBsZS5uZXQAc2VjcmV0
235 2.7.0 Authentication successful
MAIL FROM:<bounce+9f2b@ops.example> SIZE=18342
250 2.1.0 Ok
RCPT TO:<alice@example.org>
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
From: Ops Mailer <mailer@ops.example>
To: Alice <alice@example.org>
Subject: Delivery test
Date: Tue, 11 Feb 2026 20:44:50 +0000
Message-ID: <debug-9f2b@ops.example>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8

hello from smtp deep dive
.
250 2.0.0 queued as 7E51A8E011
QUIT
221 2.0.0 Bye

3. Authentication, TLS, and Identity Alignment

Modern mail acceptance is policy-heavy. Transport encryption, sender authentication, and domain alignment together determine inboxing probability far more than SMTP syntax correctness.

TLS/STARTTLS Considerations

Use opportunistic TLS for relay by default, enforce required TLS for submission and sensitive destinations. Capture negotiated protocol and cipher in logs for post-incident analysis.

TLS1.2+ SNI MTA-STS DANE TLSA

Recompute capabilities after TLS; AUTH sets often differ pre/post-upgrade.
Validate certificate SAN against MX target host policy, not RFC5322 header domain.
Track downgrade events where STARTTLS advertised previously but absent now.

SPF, DKIM, DMARC Alignment

SPF validates return-path authorization, DKIM validates signed content+domain, DMARC defines policy and alignment. For high-volume systems, align organizational domain between RFC5322.From and DKIM d= where possible.

SPF breaks on naive forwarding unless SRS/ARC strategy exists.
DKIM survives forwarding if signed headers and body remain intact.
DMARC relaxed alignment tolerates subdomain mismatch; strict does not.

DNS policy examplesminimal but production-oriented

; SPF
example.com.     IN TXT "v=spf1 ip4:203.0.113.0/24 include:_spf.mail.example -all"

; DKIM selector
s2026._domainkey.example.com. IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkq..."

; DMARC
_dmarc.example.com. IN TXT "v=DMARC1; p=quarantine; adkim=s; aspf=r; rua=mailto:dmarc-reports@example.com"

; Optional TLS policy
_mta-sts.example.com. IN TXT "v=STSv1; id=2026-02-11"
_smtp._tls.example.com. IN TXT "v=TLSRPTv1; rua=mailto:tlsrpt@example.com"

4. Queueing, Retry Strategy, and DSN Semantics

SMTP acceptance does not mean mailbox delivery. It usually means remote MTA accepted responsibility. Robust systems treat queueing and retry policy as first-class reliability logic.

Retry Discipline

Retry only for transient classes (4xx or enhanced 4.X.X).
Use exponential backoff with jitter and bounded queue lifetime.
Separate policy failures from transport failures in metrics.
Escalate repeated temp-fails to destination reputation signals.

Delivery Status Notifications

Map enhanced codes (2.X.X, 4.X.X, 5.X.X) into canonical app outcomes.
Persist envelope-id / queue-id / message-id linkage for postmortems.
Honor NOTIFY/RET semantics when DSN extension is enabled.
Protect bounce processors against backscatter and parser abuse.

Per-Recipient Outcomes

Single message can split into delivered + deferred + bounced recipients.
Emit recipient-level events, not only transaction-level events.
Avoid dropping good recipients because one address hard-failed.
For partial success, keep transaction correlation IDs stable.

[App producer] -> [Submission API] -> [MTA queue] -> [DNS MX resolve] -> [Remote MX connect] | | | | | idempotency key auth context retry schedule dns cache TTL tls+policy verdict | | | | | +------------------------- observability correlation IDs ----------------+

5. Debugging Techniques That Work in Production

Debug mail like distributed systems: identify where state diverged between intent and observed transport behavior. Always collect transcript, DNS evidence, queue metadata, and remote response codes together.

Command-line Probing Toolkit

transport + DNS probessafe read-only diagnostics

# Discover MX path
 dig +short MX example.org

# Inspect SMTP endpoint capabilities
 openssl s_client -starttls smtp -crlf -connect mx1.example.org:25

# Check MTA-STS and TLS-RPT policy records
 dig +short TXT _mta-sts.example.org
 dig +short TXT _smtp._tls.example.org

# Validate DKIM selector publication
 dig +short TXT s2026._domainkey.example.com

Capture full SMTP transcript including multiline responses.
Record peer IP, chosen MX hostname, and TLS peer certificate fingerprint.
Repeat against each MX preference to detect inconsistent fleet config.

Failure Pattern Catalog

421 / connection drops: remote throttle, tarpitting, or overloaded listener.
450/451 with policy text: temporary reputation controls, graylisting, content scanning queue.
550 5.7.1: auth/alignment fail, relay forbidden, or domain-level blocklist hit.
454 4.7.0 TLS unavailable: cert deployment issue, STARTTLS disabled, or crypto mismatch.
250 queued but no inbox: downstream filtering, mailbox rule, silent spam placement.

Enhanced codes are usually more reliable than human-readable text. Build parsers around numeric code families first, text classifiers second.

message-level forensic checklistminimum evidence set

1) Original RFC5322 message (with all Received headers)
2) Outbound SMTP transcript for each attempt (queue-id, remote mx, timing)
3) DNS snapshots at send time (MX/SPF/DKIM/DMARC/MTA-STS)
4) TLS handshake metadata (protocol, cipher, cert chain verdict)
5) Retry history and final DSN / bounce body
6) Reputation context (sending IP/domain historical reject rates)

6. Advanced ESMTP Extensions and Interop Traps

Extensions improve throughput and correctness, but each one introduces compatibility decisions. High-quality MTAs negotiate capabilities dynamically and degrade gracefully when peers advertise partial or inconsistent support.

Extension	Advertised As	Why It Matters	Operational Caveats
`PIPELINING`	`250-PIPELINING`	Reduces RTT cost by batching SMTP commands.	Client must still map responses to the exact command order; avoid with flaky peers.
`CHUNKING`	`250-CHUNKING`	Allows `BDAT` streaming and avoids dot-stuffing overhead.	Many systems parse DATA-path better than BDAT-path; test all downstream appliances.
`SMTPUTF8`	`250-SMTPUTF8`	Permits UTF-8 in local-parts/headers for internationalized addresses.	Must not downgrade lossy; route only through UTF8-capable path end-to-end.
`DSN`	`250-DSN`	Enables delivery notification controls per recipient.	Prevent mail loops and duplicate notices when combined with internal retries.
`8BITMIME`	`250-8BITMIME`	Allows 8-bit bodies without forced quoted-printable/base64 encoding.	Gate on downstream support, or perform canonical re-encoding before relay hops.
`REQUIRETLS`	Message header / policy control	Signals sender requires TLS-protected transport to destination.	Can reduce deliverability if remote path cannot satisfy strong TLS guarantees.

DSN-enabled envelope exampleper-recipient notification policy

MAIL FROM:<bounce+f31a@mailer.example> ENVID=ord-8472 RET=HDRS
250 2.1.0 Ok
RCPT TO:<alice@example.org> NOTIFY=SUCCESS,FAILURE,DELAY ORCPT=rfc822;alice@example.org
250 2.1.5 Ok
RCPT TO:<bob@example.net> NOTIFY=FAILURE ORCPT=rfc822;bob@example.net
250 2.1.5 Ok
DATA
354 Start mail input
...
.
250 2.0.0 queued as A1CE8D9137

7. Incident Runbooks and Hardening Baseline

Predefined runbooks reduce time-to-restore. Separate mitigation from diagnosis so throughput recovers while root cause is still under investigation.

Runbook: Sudden 5.7.1 Spike

Confirm whether rejects are destination-specific, ASN-specific, or global.
Diff recent DNS/auth changes (SPF flattening, DKIM key rotation, DMARC policy).
Sample rejected transcripts and cluster by enhanced code.
Temporarily shift traffic by IP pool if reputation partitioning exists.
Open postmaster escalation with evidence bundle and timestamps.

Runbook: STARTTLS Failures After Deploy

Validate certificate chain and SAN against all outbound hostnames.
Check minimum TLS version/cipher settings for unintended incompatibility.
Compare failure rates by remote domain and by MX preference target.
Rollback crypto policy if broad interoperability loss is confirmed.
Add synthetic probes for TLS handshake and STARTTLS advertisement drift.

Runbook: Queue Backlog Growth

Measure accept rate, defer rate, connection concurrency, and queue age percentile.
Separate local bottleneck (CPU/DNS/TLS) from remote bottleneck (throttling).
Tune retry pacing and connection reuse to avoid synchronized retry storms.
Protect latency-sensitive transactional streams with queue class isolation.
Set abandonment thresholds and explicit operator alerts by SLO tier.

hardening baselineoperator checklist

[ ] Strict envelope/header validation for outbound sender domains
[ ] DKIM signing at edge with rotating selectors and monitored key expiry
[ ] SPF records minimized and periodically flattened without exceeding DNS limits
[ ] DMARC reports ingested and anomaly detection over fail ratios
[ ] Retry policy documented with bounded lifetime and jittered backoff
[ ] Full-fidelity transcript logging with privacy-safe redaction
[ ] Per-domain adaptive throttling and warm-up logic for new IP pools
[ ] Synthetic SMTP probes for top destinations every 5 minutes
[ ] Bounce classification pipeline with enhanced status code normalization
[ ] SLO dashboard: accepted, deferred, bounced, time-to-final-outcome

8. Annotated Transcript Scenarios (Success, Partial, Failure)

These examples model common production outcomes and the interpretation logic expected in mail delivery services. Keep transcript parsing deterministic and preserve raw lines for incident review.

Scenario A: Partial Recipient Acceptanceproceed with accepted recipients

220 mx.target.example ESMTP
EHLO mta01.sender.example
250-mx.target.example
250-PIPELINING
250-SIZE 10485760
250 8BITMIME
MAIL FROM:<bounce+9ce1@sender.example>
250 2.1.0 Ok
RCPT TO:<valid.user@target.example>
250 2.1.5 Ok
RCPT TO:<unknown.user@target.example>
550 5.1.1 User unknown
DATA
354 End data with <CRLF>.<CRLF>
From: Platform Mailer <notify@sender.example>
To: valid.user@target.example, unknown.user@target.example
Subject: Event update
...
.
250 2.0.0 Accepted queue id 21B5A
QUIT
221 2.0.0 Bye

Scenario B: Temporary Deferral with Retry4xx should schedule backoff

220 mx.bigmail.example ESMTP
EHLO mta01.sender.example
250-mx.bigmail.example
250-STARTTLS
250 PIPELINING
MAIL FROM:<bounce+2fd1@sender.example>
250 2.1.0 Sender ok
RCPT TO:<recipient@bigmail.example>
451 4.7.1 Try again later, rate limited
RSET
250 2.0.0 Reset state
QUIT
221 2.0.0 Bye

# Queue decision:
# classify as transient-policy, retry in 12m with jitter, retain same message-id and envelope-id.

Scenario C: STARTTLS Policy Mismatchfail closed for strict routes

220 mx.secure.example ESMTP
EHLO mta01.sender.example
250-mx.secure.example
250 STARTTLS
STARTTLS
220 2.0.0 Ready to start TLS
... handshake fails: certificate verify error (unable to get local issuer cert) ...
QUIT

# Route policy:
# - transactional banking stream: permanent fail route (security requirement)
# - marketing stream: temporary defer and retry via alternate egress path

9. MIME Construction, Encoding, and Bounce Parsing Examples

Content-layer mistakes often look like transport failures to non-specialized tooling. Validate MIME boundaries, content transfer encodings, and header canonicalization before blaming destination policy systems.

Multipart/Alternative Example

RFC5322 + MIMEtext and html bodies

From: Alerts <alerts@example.com>
To: dev@example.org
Subject: Build pipeline report
Date: Fri, 13 Feb 2026 23:22:10 +0000
Message-ID: <build-4822@example.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="b1_4822"

--b1_4822
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Build complete. 2 warnings. 0 failures.

--b1_4822
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable

<html><body><p>Build complete.</p></body></html>
--b1_4822--

Boundary must be unique and terminated exactly once.
Quoted-printable lines should stay under 76 chars pre-wrap.
Ensure Date and Message-ID are always set for traceability.

DSN/Bounce Body Parsing Example

delivery-status samplemachine-readable fields

Content-Type: multipart/report; report-type=delivery-status; boundary="dsn_a9"

--dsn_a9
Content-Type: text/plain; charset=utf-8

Delivery failed for one or more recipients.

--dsn_a9
Content-Type: message/delivery-status

Reporting-MTA: dns; mx.sender.example
Arrival-Date: Fri, 13 Feb 2026 23:24:12 +0000

Final-Recipient: rfc822; blocked@target.example
Action: failed
Status: 5.7.1
Diagnostic-Code: smtp; 550 5.7.1 Message rejected due to DMARC policy

--dsn_a9--

Use Status and Action for classifier truth, not free-form prose.
Map Final-Recipient to internal recipient IDs for precise suppression updates.
Persist Diagnostic-Code text for support tooling and trend clustering.