1. Library
  2. Email Protocols
  3. Protocols

SMTP Ports Explained

Updated 10 hours ago

Every email you send faces a simple question: which door should it knock on?

SMTP uses different port numbers for different purposes, and choosing the wrong one means your message either won't send, won't be secure, or will be rejected outright. But these port numbers aren't arbitrary—each one exists because something broke and needed fixing.

The Short Answer

If you're configuring an email client and just need to know what to use:

Port 587 with STARTTLS encryption and authentication. This works for Gmail, Outlook, and virtually every modern mail provider.

If that's blocked, try port 465 with implicit TLS.

Never use port 25 for sending from an email client.

Now, for why any of this exists:

Port 25: The Original Door

Port 25 is where SMTP began in 1982. Back then, it handled everything—servers talking to servers, clients talking to servers, everyone talking to everyone.

This worked because the early Internet was small and trusting. Mail servers accepted messages from anyone claiming to send on behalf of anyone. If you connected to port 25 and said "I have a message from president@whitehouse.gov," the server would shrug and deliver it.

Then spammers discovered this.

By the 1990s, spammers were exploiting "open relay" servers—connecting to port 25, claiming to be legitimate senders, and pumping out millions of fraudulent messages. Your grandmother's computer, infected with malware, could connect to any mail server on port 25 and send spam pretending to be Bank of America.

The response was brutal and necessary: mail servers stopped trusting port 25 for submission. Today, port 25 is strictly for server-to-server delivery—when Gmail's servers need to deliver mail to Yahoo's servers, they connect on port 25. But if you try to submit a message as a user on port 25, most servers will reject you. Many ISPs block outbound port 25 entirely, so your computer can't even make the connection.

Port 25 was designed for a world where mail servers trusted each other. That world ended when spammers discovered they could pretend to be anyone.

Port 587: The Authenticated Door

Port 587 emerged as the solution to port 25's trust problem. It's designated specifically for "message submission"—when email clients send messages to their mail server.

The key difference: port 587 requires you to prove who you are.

When you connect to port 587, the server demands authentication before accepting any message. You provide a username and password, the server verifies you're a legitimate user, and only then does it accept your outgoing mail.

But there's a wrinkle. Port 587 starts unencrypted—your credentials would be visible to anyone watching the connection. So before authentication happens, the client and server perform a little dance called STARTTLS:

Client: Hello, I'd like to send mail
Server: Sure. By the way, I support encryption
Client: Great, let's encrypt
Server: Ready
[Connection upgrades to encrypted]
Client: Now here's my password...

This is genuinely strange when you think about it. Two computers talking in the open, then one says "let's whisper now," and suddenly they're speaking in code. It's like passing notes in class and switching to pig latin mid-sentence.

STARTTLS works, but the initial unencrypted exchange creates a theoretical vulnerability—a sophisticated attacker could intercept the connection before encryption begins and strip out the encryption offer. This led to port 465.

Port 465: The Always-Encrypted Door

Port 465 uses "implicit TLS"—the connection is encrypted from the very first byte. There's no negotiation, no upgrade, no moment of vulnerability. You either connect encrypted or you don't connect at all.

Port 465 has a messy history. It was used for encrypted SMTP in the late 1990s but was never officially standardized and got reassigned to other purposes. Despite this, people kept using it. In 2018, the standards bodies finally acknowledged reality and officially blessed port 465 for SMTP submission with implicit TLS.

Today, both ports 587 and 465 are valid for sending email from clients:

  • Port 587: Starts unencrypted, upgrades via STARTTLS
  • Port 465: Encrypted from the start

Port 587 with STARTTLS is more widely supported and remains the default recommendation. Port 465 is slightly more secure against certain attacks and works better through some corporate firewalls that inspect traffic. Use whichever your mail provider recommends; both are fine.

Port 2525: The Emergency Exit

Port 2525 is unofficial—it's not in any RFC, not blessed by any standards body. It exists because sometimes everything else is blocked.

Some networks, particularly hotels, airports, and aggressive corporate firewalls, block the standard email ports. Port 2525 provides a workaround. Functionally, it works identically to port 587—same authentication, same STARTTLS encryption.

Use port 2525 only when you've tried 587 and 465 and both are blocked.

Server-to-Server vs. Client-to-Server

The confusion about SMTP ports stems from conflating two different operations:

Server-to-server relay (port 25): When Gmail's server delivers mail to Yahoo's server. No authentication—servers verify each other through DNS records, IP reputation, and cryptographic signatures like DKIM. This happens automatically; users never configure it.

Client-to-server submission (ports 587, 465): When your email app sends mail to your mail server. Requires authentication because the server needs to know you're a legitimate user, not a spammer.

Port 25 is for the first operation. Ports 587 and 465 are for the second. Mixing them up causes problems.

Configuring Your Email Client

For outgoing mail configuration:

ProviderServerPortEncryption
Gmailsmtp.gmail.com587STARTTLS
Microsoft 365smtp.office365.com587STARTTLS
Yahoosmtp.mail.yahoo.com587STARTTLS
iCloudsmtp.mail.me.com587STARTTLS

All require authentication with your email address and password (or app-specific password if you use two-factor authentication).

Running Your Own Mail Server

If you operate a mail server:

Inbound port 25: You must accept connections on port 25 to receive mail from other servers. This is how the Internet delivers mail to your domain.

Outbound port 25: Your server needs to connect to port 25 on other servers to deliver outgoing mail. Many hosting providers block this; you may need to relay through a service like SendGrid, Amazon SES, or your provider's SMTP relay.

Port 587/465 for your users: Configure submission ports for your users to send mail through your server. Require authentication and encryption.

Never accept unauthenticated submission on any port—this creates an open relay that spammers will find and abuse within hours.

The Pattern

SMTP's port proliferation tells a story repeated across the Internet:

  1. Protocol designed for a trusting environment
  2. Bad actors exploit that trust
  3. New mechanisms added to verify identity
  4. Encryption layered on to protect credentials
  5. Legacy ports remain for backward compatibility

Port 25 is the legacy. Ports 587 and 465 are the adaptation. The email you send today travels through infrastructure shaped by decades of cat-and-mouse between systems trying to deliver legitimate mail and attackers trying to abuse them.

Frequently Asked Questions About SMTP Ports

Was this page helpful?

😔
🤨
😃