Email - the basics

Email is one of the most commonly used methods of communicating over the internet. There are other ways of course, but pretty much anyone with any internet access at all has an email address.

There are a couple things you need to know right up front, and if you skip the rest you may miss knowing important stuff but you'll still be able to exchange messages without offending people.

Super short summary:

CC - send to and show everybody the multiple recipients

BCC - send to but do not show multiple recipients

Email is not a secure method of communication.

Email is not an efficient way to exchange files.

Always include a subject line.

Most Important Things

In order to send an email to someone, you or your email program has to know their email address. An email address must have an ID for the recipient, an @ symbol and a target domain. You can send an email to Sally if you know her name and her email address is in your email program. (Users of Outlook in businesses often have this automatically set up.) If you don't have Sally in your address book, you cannot send her an email unless you get her email address from her. If you ask and she says that her email address is "sally.jones" then you do not have enough information. If she says it is "company.com" then you do not have enough information. If she tells you both parts and says "at" in the middle then you have her email address, it should be typed: "sally.jones@company.com" rather than spelling out the word "at" and you should, hopefully obviously, leave out the quotation marks I used.

If you have an email address, and a program, you may need settings to put into your email program in order for it to function. If yours is set up for you by Google or Yahoo or MSN or your company, you should be fine, but if you are trying to set it up yourself, then you may need to get it from your Internet service provider. Most providers use something simple like "mail.charter.net" but you can't be sure unless you ask them or they tell you. There are two parts to setting up email, the server you will receive email from and the server you will send email out through. In a corporate environment, they are often the same server, so you may be able to use "mail.mycompany.com" for both. In some situations though, you'll need an SMTP server for sending email and you'll need to know both the type and name for the mail server you are receiving mail through. It is common to find both POP and IMAP email servers, but once you know that you should be able to set up your email program.

You'll also want to know about CC and BCC. In the old days, before copy machines were common, there were sheets of paper with carbon on once side so that whatever was written on a top piece of paper would carry through the carbon paper and onto a paper beneath that. The recipient of a letter might want to know that they were receiving such a copy, or that other people received a copy of the letter they were receiving so it was common to use CC to mean that the letter had Carbon Copies. If someone were to want to send a letter and make a copy but not tell the recipient of the extra copies, it would be sent as a Blind Carbon Copy.

CC is a way of specifying multiple recipients for a message, where the To line is traditionally reserved for the actual target of the email and the CC line is reserved for people who are to receive a copy. The BCC option does exactly the same thing but the recipients cannot see who is included on the BCC list.

You should always include a subject for your emails. First, because it is polite, but second because someone using IMAP (one of the server types mentioned above) may not receive whole messages and selectively download only messages that they specify based on the sender and the subject line.

Never trust email to keep things secure. Because email is based on an protocol old enough that every user could talk to every other user, it had no security built into it and has never been able to outgrow that. If you send an email, it is possible that someone besides the recipient could read it. (If you need to send secure information, it must be encrypted.)

Not Quite Technical Stuff

Thanks to all the tools that are used to exchange email, most people don't have any idea how it really works. After this article, you still won't know a lot of things, but you'll know the basics.

Email is one of the very old ways that networks were used to exchange information. It started being used at a time when every user expected to personally know every other user they might email. The assumptions for that kind of world don't hold true anymore, but nobody wants to build a new email system when it would mean that the rest of the email users in the world wouldn't be able to participate.

Emails are just text that is passed from one computer to another. There is no actual image or video or file passed, those things have to be reconstructed from the text that was used to represent them when they are received by the final party. That is also part of the reason that email is never able to be considered a secure communication method.

When you write an email, you're actually providing the text to a program that will later turn it into an email. If you attach things to your email, those files are also converted to text. After you send the email the program you're using completes the files-to-text transformation and asks an email server to take the transmission. The email server is referred to as a SMTP server, where SMTP stands for Simple Mail Transfer Protocol. It is a standard that all email adheres to in order to allow messages to be passed from one computer system to another. To be able to know where the email is being sent the SMTP server works backwards through the address gathering the domain name until it encounters the @ symbol. Thus it is possible for emails to have multiple @ symbols, with just the last one having any meaning. As an example sally.jones@accounts@company.com would mean to the server that the domain is "company.com" and let the server for company.com figure out what to do with the rest.

The SMTP server, once it knows the domain, hands off the email to the SMTP server registered for that domain, or a trusted intermediary. When the email comes into the server which handles that domain, it may be further processed so that it ends up in the right mailbox. If the above example has three offices around the globe, sally.jones@accounts@company.com may receive email through a server mail.accounts.company.com so the server handling company.com would pass it on to that mail server and not need to pass it on to mail.marketing.company.com. When Sally is getting her email, her computer is supplying her credentials to the place where her mail is stored so there can be only one email address as a recipient of any end product email, though the system may put a copy in several different email boxes if it is a "shared" address.

When the final program that is to handle email receives it, any parts of the email that were encoded into text for transport are reconverted to files. This encoding and decoding is why email is not an efficient way to move files. Added to that overhead is the potential for each machine along the way to store an archive of the email in case it doesn't get through on the first try.

That leads to the scenario where something goes wrong.

SMTP does not care if the sender of the email is identified. Most email providing companies require authentication in order to send or receive email, but the protocol itself does not, so it is possible for anybody who has the ear of an SMTP server to send a message with a false or (usually allowed) empty sending email address. This is another reason why email is considered untrustworthy. I can send an email that appears to the recipient to have come from anyone in the world, including their boss, my boss, the president of the united states or any celebrity you care to name, even showing their real email address.

In the days before SPAM, email was a novelty and a convenience. Once people realized that they could send a million emails at practically no cost, the situation changed, but it couldn't require checks on the senders or people using the original email protocol would be cut out of the loop. Email filtering and server filtering were born. Now servers will only act as a trusted intermediary for domains they have specific responsibility for and only receive email from networks they have trust in. Still, since the server names have to be public in order for email to work, someone wanting to send SPAM need only send messages to recipient's specific servers.

People who set up email servers sometimes make the mistake of thinking their SMTP server is only going to be used by their own people and allow it to receive messages from anyone, and when spammers find such a setup, they gleefully (yes, I imagine their eyes lighting up and them rubbing their hands together) use that server as a way to send messages to everyone in the world.

In order to be able to trust email and keep spam out, some things have to change. The change will not come easily or fast but you can do your part to help it along.

• • Don't try to set up your own email server until you have read about the dangers of open-relay

  • Use authenticated SMTP whenever possible, requiring a username and password to send email

  • Use digital signatures and encryption.

A word on encryption with email

Encryption is the process of turning something that can be read by anyone into something that can be read only by an intended party. It is used in computers to keep data safe. If you encrypt a file with a reliable system, it cannot be read by anyone who doesn't have the necessary information.

There are two basic types of encryption, symmetric and public key. Symmetric encryption means that the person doing the encryption and the person doing the decryption have the same password or key. Public key encryption is a system where the person sending the data does not need to be able to receive the data. The sender encrypts the data with public information but that process cannot be undone by anyone except the person who owns the public key using their own private key. (This involves math.) With public key encryption you must know the key of the recipient in order to send them an encrypted and thus secure, message. Since it is impossible to be sure in advance that you'd be able to share a key for symmetric encryption with every possible recipient, public key encryption is the only viable way of making email secure.

In order to exchange messages securely using public key encryption, the keys must have a way of becoming known. With web pages this is handled by trusted authorities that are bundled with the computer system, but there is a price for keeping these keys in publicly accessible servers, thus web page security comes with  a price tag for the companies that offer it. With email that price tag and process have proven too high to gain widespread appeal, but you can publish your keys to servers for free (there are dozens) and you can attach your public key to your email. Once a recipient has your key, they can send you encrypted email and when you have theirs, you can send them encrypted email.

Sadly, this process is not automated or standardized so it is not widely adopted. I encourage you to ask your email provider to offer you a public key exchange and signing (and encrypting) option in the hope that if they hear it often enough, they will work on getting it done. In the mean time, I also encourage you to discuss it with your IT department, your company management and anyone else who has the ability to get key publication in place.