A 50-year journey into the past of email and SMTP to learn how email protection developed into the email we know today.
As someone who enjoys reading and learning, I figured it would be interesting to look into the past of email security to gain a deeper understanding of the security technologies we use every day.
If we’re going to look at the past of email in general, the protocol we still use today is a good place to start. Jonathan B. Postel introduced us to the Simple Mail Transfer Protocol (SMTP) in August 1982, at least in a structured format. However, computer-based messaging had been possible for a long time before that, with Telex and AUTODIN serving as forerunners to SMTP.
While security is a top priority today, SMTP was created in a very different environment: the ARPANET (the predecessor to the modern internet), which was a closed network of trusted users mostly made up of researchers and government officials. Stable SMTP ports and the idea of authentication were not even on the radar in those days of open relays; instead, the emphasis was on providing efficient email delivery.
Nearly 40 years later, the internet is no longer just a closed network of trusted users; it’s now a global network of users who may or may not be trustworthy. Not only that, but our communications have evolved from basic text-based communication to much more complex formats.
We’ll look at the email history timeline in general, with a focus on SMTP history, in the section below.
A Timeline on How Email Evolved with SMTP in All of Its Glory
Email has a nearly 50-year tradition, and email protection is no exception. Because of the topic’s breadth and scope, I decided to break it down by decade to keep things more organised.
SMTP Email History Timeline — The 1970s
Without mentioning the man who started it all, which in our case is Raymond Samuel Tomlinson, no trip down memory lane is complete. Previously, SNDMSG was only used to send electronic mail on a single multi-user, time-sharing device.
In 1971, Tomlinson expanded this capability by sending the first email as a test to see whether messages could be sent to users on other ARPANET computers. He was the first to use the @ symbol to separate the username and the hostname, a technique we still use today when sending emails! This form of communication was a big hit, and people started thinking about how they could send an electronic mail to someone who wasn’t on their internal network.
Larry Roberts, the so-called “Father of the Internet” (because he created ARPANET), wrote the first-ever mail management programme, “RD,” in 1972, which enabled users to sort, file, or remove messages from a menu. Many mail managers arose as a result of RD, with MSG, created by John Vittal, being one of the most well-known, with features such as mail forwarding.
DARPA proposed the first email specifications in 1973, including features like mail forwarding. In 1978, a marketing representative from Digital Equipment Corp. (DEC) sent out what is believed to be the first spam letter, which was met with a huge uproar from ARPANET users.
SMTP Email History Timeline — The 1980s
ISPs and email hosting services entered the picture in the 1980s, ushering in a new age of global communication. FidoNet (a worldwide network of bulletin board systems) was launched in 1984, adding to the 1970s networks such as PLATO IV, Unix mail, and others.
The first draught for SMTP was also described in the early 1980s, with RFC 821 being published in 1982. Professor Scott Fahlman also gave us the first smiley face emoticon that year! 😊
The “From” area (purported responsible address, or PRA identity) in the message body (as seen in Figure 2) didn’t have to fit the “Mail From” address because of the way SMTP was structured in 1982, and this paved the way for a slew of issues. Today, we have SMTP security controls such as SPF, DKIM, and other authentication checks (more on this later), which help us verify the authenticity of the email we receive.
In 1988, AppleTalk Networks added the first commercial MS-DOS based mail client for personal computers. CompuServe, Sprint (in the United States), and Pipex (in the United Kingdom) were among the first to provide internet access through dial-up connections.
SMTP Email History Timeline — The 1990s
The use of HTML overtook text-based emails in the 1990s, and companies like Yahoo! Mail, AOL, and Hotmail swept the internet world.
STARTTLS was created in late 1998 as an effort to add security to the SMTP protocol in order to prevent intruders from reading messages. The STARTTLS command is defined by IONOS as “primarily used as a protocol extension for email communication, based on the protocols SMTP, IMAP, and POP.” It does this by extending the transport layer security (TLS) protocol to ensure that all data is sent using the encrypted protocol.
There was still no authentication at this stage, and it was all about open communication and open relays. Although this facilitated secure mail transfer, it also enabled any unscrupulous consumer on the network to take advantage of these open relay servers’ computing resources to submit large volumes of unsolicited spam messages.
Following that, in March 1999, a simple form of authentication was added to the SMTP protocol as an alternative. This caused the receiver to answer with an additional 250-AUTH PLAIN LOGIN option after receiving the extended hello (EHLO) message from the sender. As time passed, SMTP continued to expand on its previous features while also incorporating security enhancements.
SMTP Email Security as We Know It Today
The twenty-first century brought us interactive and sensitive emails that allow images, animation, and other formats to be exchanged via email using service extensions (multipurpose internet mail extension that allows the sharing of other formats) and provide features such as calendars and mail recall, as well as screen share and conferencing. It also gave us MARID (MTA Authorization Records In DNS), an anti-spoofing email authentication system. The MARID Internet Engineering Task Force (IETF) working group was formed in 2004 and disbanded less than a year later due to intellectual property disputes, disagreements, and other issues surrounding how to improve the SMTP standard.
SMTP began using message headers such as Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and others to avoid spam and email-based security attacks at the same period. What is the reason for this?
Since SMTP protection alone isn’t enough, according to RFC 5321:
SMTP mail is inherently insecure in that it is feasible for even fairly casual users to negotiate directly with receiving and relaying SMTP servers and create messages that will trick a naive recipient into believing that they came from somewhere else. Constructing such a message so that the “spoofed” behavior cannot be detected by an expert is somewhat more difficult, but not sufficiently so as to be a deterrent to someone who is determined and knowledgeable. Consequently, as knowledge of Internet mail increases, so does the knowledge that SMTP mail inherently cannot be authenticated, or integrity checks provided, at the transport level. Real mail security lies only in end-to-end methods involving the message bodies, such as those that use digital signatures (see RFC 1847 [43] and, e.g., Pretty Good Privacy (PGP) in RFC 4880 [44] or Secure/Multipurpose Internet Mail Extensions (S/MIME) in RFC 3851 [45]).”
Some of the controls used today to prove to ISPs and mail servers that email senders are, in fact, registered parties and are not attempting to impersonate legitimate users include SPF, DKIM, DMARC, and S/MIME certificates. SPF maps IP addresses to domain names, while DKIM verifies validity and ensures that an email message’s content has not been tampered with. SPF and DKIM-based Domain-based Message Authentication, Reporting, and Conformance (DMARC) decides how to respond to potentially spoofed emails.
Secure/Multipurpose Internet Mail Extension (S/MIME) is a protocol standard established by the Internet Engineering Task Force (IETF) that is based on email protection, while the other three are DNS TXT records. In both storage and transit, S/MIME certificates are used to sign or authenticate and encrypt our email correspondence.
Wrapping Up the History of Email Timeline
Looking back at the history of SMTP, from how the protocol was created and how encryption and authentication are being implemented today, it’s clear that there are some inherent flaws that can be changed but not totally eliminated. This is why having a safe email policy in place to direct your organization’s efforts to improve email security using a variety of tools and authentication methods is critical.