SMTP: Why We Still Use This 1982 Protocol

A Protocol Born in a Different Era

In 1982, the internet was a network of a few hundred computers used almost exclusively by academics and military researchers. Jon Postel published RFC 821, defining SMTP as a simple, text-based protocol for transferring electronic messages between servers. The design prioritized reliability and simplicity over security — an entirely reasonable choice given the trusted, small community using it at the time.

SMTP works through a straightforward conversation between two servers. The sending server connects to port 25 of the receiving server and issues a series of plain-text commands: HELO (identify yourself), MAIL FROM (sender address), RCPT TO (recipient address), and DATA (the message body). The receiving server responds with numeric status codes. It is elegant in its simplicity, and that simplicity is precisely why it has survived for over four decades.

Why Nothing Has Replaced It

Several attempts have been made to replace SMTP over the years. Technologies like X.400, a complex OSI-based messaging standard from the 1980s, were supposed to be the future. More recently, proposals for blockchain-based email systems and various encrypted alternatives have surfaced. None have gained traction, and the reasons are instructive:

• Universal interoperability: SMTP is the only protocol understood by every email server on the planet. Replacing it would require coordinated action by millions of independent operators — a practical impossibility.
• Network effects: The value of email comes from the fact that everyone uses it. A new protocol that only works with a subset of servers is inherently less useful.
• Incremental improvement: Rather than replacing SMTP, the industry has layered improvements on top of it. STARTTLS added encryption in transit. SPF, DKIM, and DMARC added authentication. These extensions address SMTP's original weaknesses without breaking compatibility.
• Decentralization: Unlike proprietary messaging platforms, SMTP is an open standard. No single company controls it, which means no single company can kill it or gatekeep access to it.

The Security Problem (and How It Was Patched)

SMTP was designed for a world where every participant on the network was trusted. It had no built-in encryption, no sender verification, and no spam prevention. By the late 1990s, these gaps had become serious problems. The response came in waves:

STARTTLS (RFC 3207, 2002): Allows SMTP connections to upgrade to TLS encryption after the initial handshake. Today, over 90% of email traffic between major providers is encrypted in transit, though STARTTLS is opportunistic — a man-in-the-middle can still strip it.

SPF (RFC 7208, 2014): Sender Policy Framework lets domain owners publish DNS records specifying which servers are authorized to send email on their behalf. This makes it harder to forge the sender address.

DKIM (RFC 6376, 2011): DomainKeys Identified Mail adds a cryptographic signature to each message, allowing the recipient to verify that the content was not altered in transit.

DMARC (RFC 7489, 2015): Domain-based Message Authentication, Reporting, and Conformance ties SPF and DKIM together with a policy framework, telling receiving servers what to do when authentication fails.

SMTP in the Age of Disposable Email

Services like TempoMail rely on the same SMTP infrastructure that powers every other email system. When someone sends a message to a TempoMail address, their server connects to TempoMail's Postfix instance over SMTP, delivers the message, and it is stored in an encrypted temporary inbox. The protocol does not care whether the recipient address is permanent or temporary — it delivers the message the same way it has since 1982.

This universality is what makes disposable email effective. Because SMTP is the universal standard, a temporary address works with every service, website, and sender on the internet. No special software or configuration is needed on the sender's side.

What Comes Next

SMTP will likely outlive most of us reading this. The protocol has proven remarkably adaptable, absorbing new security layers without breaking backward compatibility. Future improvements may include MTA-STS (enforced TLS), DANE (DNS-based certificate authentication), and better anti-phishing measures, but the core protocol — the simple exchange of HELO, MAIL FROM, RCPT TO, DATA — will remain the same. In a world of constantly changing technology, SMTP is a rare example of a design so fundamentally sound that it just keeps working.