SMTP Authentication

SMTP Authentication, often abbreviated SMTP AUTH, is an extension of the whereby an SMTP client may log in using an authentication mechanism chosen among those supported by the SMTP server. The authentication extension is mandatory for submission servers.

Differently from mail-access protocols, the original SMTP specified by Jon Postel in the 1970s did not provide for using passwords for sending email messages. This lack of security gave rise to open mail relays, unprotected mail servers used to propagate spam and worms that became a plague in the late '90s. Before SMTP AUTH, a relay client had to be identified by IP address, which is only practical for email services provided by the same Internet service provider (ISP) supplying the connection, or else using specific hacks, such as POP before SMTP.

John Gardiner Myers published the first draft of SMTP AUTH in 1995, and it has been successively developed and discussed in the IETF along with mail submission protocol, Extended SMTP (ESMTP), and Simple Authentication and Security Layer (SASL). An older SASL mechanism for ESMTP authentication (ESMTPA) is CRAM-MD5, and uses of the MD5 algorithm in HMACs (hash-based message authentication codes) are still considered sound.

The Internet Mail Consortium (IMC) reported 55% of mail servers were open relays in 1998, but less than 1% in 2002.

Using a mail submission agent (MSA), generally on port 587, implies SMTP AUTH. MSA usage is supported by most software and is recommended, especially to support nomadic users, as several network hubs either block port 25 or use SMTP proxies. The MSA is responsible for ensuring that the message envelope contains good addresses, and may enforce local policies for the From header field. Verifying that the envelope sender (a.k.a. Return-Path) used for SPF and the From address agree with the authenticated user-id is particularly important for domains that sign messages using DKIM.

...
Wikipedia