Skip to content


Repository files navigation

The Net_SMTP Package

User Documentation

Author: Jon Parise Armin Graefe

The Net_SMTP package uses the PEAR_Error class for all of its error handling.

The Net_Socket package is used as the basis for all network communications. Connection options can be specified via the $socket_options construction parameter:

$socket_options = array('ssl' => array('verify_peer_name' => false));
$smtp = new Net_SMTP($host, null, null, false, 0, $socket_options);

Note: PHP 5.6 introduced OpenSSL changes. Peer certificate verification is now enabled by default. Although not recommended, $socket_options can be used to disable peer verification (as shown above).

The Auth_SASL package is an optional dependency. If it is available, the Net_SMTP package will be able to support the DIGEST-MD5_, CRAM-MD5_ and SCRAM-SHA_ SMTP authentication methods. Otherwise, only the LOGIN_ and PLAIN methods will be available.

All of the Net_SMTP class's public methods return a PEAR_Error object if an error occurs. The standard way to check for a PEAR_Error object is by using PEAR::isError():

if (PEAR::isError($error = $smtp->connect())) {

The Net_SMTP package supports the SMTP authentication standard (as defined by RFC-2554). The Net_SMTP package supports the following authentication methods, in order of preference:

DEPRECATED This authentication method is no longer secure and should be avoided.

The CRAM-MD5 authentication method has been superseded by the DIGEST-MD5_ method in terms of security. It is provided here for compatibility with older SMTP servers that may not support the newer DIGEST-MD5 algorithm.

Note: The CRAM-MD5 authentication method is only supported if the AUTH_SASL package is available.

DEPRECATED This authentication method is no longer secure and should be avoided.

The DIGEST-MD5 authentication method uses RSA Data Security Inc.'s MD5 Message Digest algorithm. It is considered a more secure method of SMTP authentication than PLAIN or LOGIN, while still vulnerable to MitM attacks without TLS/SSL.

Note: The DIGEST-MD5 authentication method is only supported if the AUTH_SASL package is available.

The GSSAPI authentication method uses Kerberos 5 protocol (RFC-4120). Does not use user/password. Requires Service Principal gssapi_principal parameter and has an optional Credentials Cache gssapi_cname parameter. Requires DNS and Key Distribution Center (KDC) setup. It is considered the most secure method of SMTP authentication.

Note: The GSSAPI authentication method is only supported if the krb5 php extension is available.

DEPRECATED This authentication method is no longer secure and should be avoided.

The LOGIN authentication method encrypts the user's password using the Base64 encoding scheme. Because decrypting a Base64-encoded string is trivial.

This authentication method is no longer secure and should only be used local or via an TLS encrypted connection.

The PLAIN authentication method sends the user's password in plain text.

In cryptography, the Salted Challenge Response Authentication Mechanism (SCRAM) is a family of modern, password-based challenge–response authentication mechanisms providing authentication to a server.

Available mechanisms are SCRAM-SHA-1, SCRAM-SHA-224, SCRAM-SHA-256, SCRAM-SHA-384 and SCRAM-SHA-512.

Note: The SCRAM-SHA authentication method is only supported if the AUTH_SASL package is available.

The XOAUTH2 authentication method sends a username and an OAuth2 access token as per Gmail's SASL XOAUTH2 documentation.

If secure socket transports have been enabled in PHP, it is possible to establish a secure connection to the remote SMTP server:

$smtp = new Net_SMTP('ssl://', 465);

This example connects to on port 465 (a common SMTPS port) using the ssl:// transport.

TLS/SSL is enabled for authenticated connections by default (via the auth() method's $tls parameter), but the STARTTLS command can also be sent manually using the starttls() method.

Message data is sent using the data() method. The data can be supplied as a single string or as an open file resource.

If a string is provided, it is passed through the data quoting system and sent to the socket connection as a single block. These operations are all memory-based, so sending large messages may result in high memory usage.

If an open file resource is provided, the data() method will read the message data from the file line-by-line. Each chunk will be quoted and sent to the socket connection individually, reducing the overall memory overhead of this data sending operation.

Header data can be specified separately from message body data by passing it as the optional second parameter to data(). This is especially useful when an open file resource is being used to supply message data because it allows header fields (like Subject:) to be built dynamically at runtime.

$smtp->data($fp, "Subject: My Subject");

By default, all outbound string data is quoted in accordance with SMTP standards. This means that all native Unix (\n) and Mac (\r) line endings are converted to Internet-standard CRLF (\r\n) line endings. Also, because the SMTP protocol uses a single leading period (.) to signal an end to the message data, single leading periods in the original data string are "doubled" (e.g. "..").

These string transformation can be expensive when large blocks of data are involved. For example, the Net_SMTP package is not aware of MIME parts (it just sees the MIME message as one big string of characters), so it is not able to skip non-text attachments when searching for characters that may need to be quoted.

Because of this, it is possible to extend the Net_SMTP class in order to implement your own custom quoting routine. Just create a new class based on the Net_SMTP class and reimplement the quotedata() method:

require 'Net_SMTP.php';

class Net_SMTP_custom extends Net_SMTP
    function quotedata($data)
        /* Perform custom data quoting */

Note that the $data parameter will be passed to the quotedata() function by reference. This means that you can operate directly on $data. It also the overhead of copying a large $data string to and from the quotedata() method.

The Net_SMTP package retains the server's last response for further inspection. The getResponse() method returns a 2-tuple (two element array) containing the server's response code as an integer and the response's arguments as a string.

Upon a successful connection, the server's greeting string is available via the getGreeting() method.

The Net_SMTP package contains built-in debugging output routines (disabled by default). Debugging output must be explicitly enabled via the setDebug() method:


The debugging messages will be sent to the standard output stream by default. If you need more control over the output, you can optionally install your own debug handler.

function debugHandler($smtp, $message)
    echo "[$smtp->host] $message\n";

$smtp->setDebug(true, "debugHandler");

The following script demonstrates how a simple email message can be sent using the Net_SMTP package:

require 'Net/SMTP.php';

$host = '';
$from = '';
$rcpt = array('', '');
$subj = "Subject: Test Message\n";
$body = "Body Line 1\nBody Line 2";

/* Create a new Net_SMTP object. */
if (! ($smtp = new Net_SMTP($host))) {
    die("Unable to instantiate Net_SMTP object\n");

/* Connect to the SMTP server. */
if (PEAR::isError($e = $smtp->connect())) {
    die($e->getMessage() . "\n");

/* Send the 'MAIL FROM:' SMTP command. */
if (PEAR::isError($smtp->mailFrom($from))) {
    die("Unable to set sender to <$from>\n");

/* Address the message to each of the recipients. */
foreach ($rcpt as $to) {
    if (PEAR::isError($res = $smtp->rcptTo($to))) {
        die("Unable to add recipient <$to>: " . $res->getMessage() . "\n");

/* Set the body of the message. */
if (PEAR::isError($smtp->data($subj . "\r\n" . $body))) {
    die("Unable to send data\n");

/* Disconnect from the SMTP server. */