Skip to content

Quiz: Email Infrastructure

← Back to quiz index

7 questions

L1 (4 questions)

1. What are SPF, DKIM, and DMARC, and why do you need all three for reliable email delivery?

Show answer SPF validates the sending server's IP is authorized (DNS TXT record listing allowed IPs). DKIM signs the message body with a private key so recipients can verify it was not tampered with (public key in DNS). DMARC ties them together with a policy (none/quarantine/reject) and alignment rules. You need all three because SPF alone does not prevent body tampering, DKIM alone does not prevent envelope spoofing, and DMARC enforces that at least one aligns with the From domain.

2. Your application sends email via SMTP relay and users report messages going to spam. What do you check first?

Show answer 1. Check SPF/DKIM/DMARC alignment — run headers through a tool like mxtoolbox.
2. Check if the sending IP is on any blocklist (RBL/DNSBL lookup).
3. Verify reverse DNS (PTR record) matches the HELO/EHLO hostname.
4. Check the DMARC aggregate reports for failures.
5. Review email content for spam-trigger patterns (all caps, suspicious links, missing unsubscribe header for bulk mail).

3. What is the difference between an MTA, MDA, and MUA, and how do they interact?

Show answer MTA (Mail Transfer Agent, e.g., Postfix, Exim) routes and transfers email between servers using SMTP. MDA (Mail Delivery Agent, e.g., Dovecot LDA, procmail) delivers mail to the recipient's mailbox. MUA (Mail User Agent, e.g., Thunderbird, Outlook) is the client users interact with. Flow: sender MUA -> sender MTA -> recipient MTA -> MDA -> recipient mailbox -> recipient MUA (via IMAP/POP3).

4. What is STARTTLS vs implicit TLS for email, and which ports are used?

Show answer STARTTLS upgrades a plaintext connection to TLS on the standard port (port 25 for server-to-server, port 587 for submission). Implicit TLS starts the connection as TLS immediately (port 465 for submission, port 993 for IMAPS, port 995 for POP3S). STARTTLS on port 25 is opportunistic — a MITM can strip it. Implicit TLS on 465 is always encrypted. Modern best practice: use port 465 with implicit TLS for submission, enforce TLS on port 25 with MTA-STS.

L2 (3 questions)

1. How does an MTA like Postfix handle mail routing, and what is the difference between transport maps and relay hosts?

Show answer Postfix uses a multi-stage pipeline: smtpd receives, cleanup processes headers, qmgr manages the queue, smtp delivers. Transport maps route specific domains to specific next-hop servers (e.g., route internal.corp to an internal relay). Relay host is the default next-hop for all outbound mail (relayhost = [smtp-relay.example.com]:587). Transport maps override relayhost for matched domains. Use transport maps for split routing (internal vs external), relayhost for centralizing all outbound through a smarthost.

2. You need to migrate an organization's email from on-prem Exchange to a cloud provider with zero downtime. What is your approach?

Show answer 1. Set up coexistence: configure mail flow so both systems can receive mail.
2. Lower MX record TTL days in advance.
3. Migrate mailboxes in batches using IMAP sync or provider migration tools.
4. Update MX records to point to the new provider.
5. Keep the old server running as a fallback relay for the TTL window.
6. Verify SPF, DKIM, and DMARC records are updated for the new provider's sending infrastructure.
7. Monitor DMARC reports and bounce logs for a week post-migration.

3. What is MTA-STS and how does it prevent TLS downgrade attacks on email in transit?

Show answer MTA-STS (RFC
8461. publishes a policy via HTTPS (at .well-known/mta-sts.txt) declaring that the domain's MX servers support TLS and listing valid MX hostnames. Sending MTAs that support MTA-STS will refuse to deliver over plaintext or to MX servers with invalid certificates. This prevents MITM attackers from stripping STARTTLS or redirecting to rogue MX servers. Complemented by TLSRPT (RFC
8460. which sends daily TLS failure reports to the domain owner.