Port 25: SMTP (Email Sending)

Port 25 is how mail servers talk to each other. It's not for you anymore.

That single sentence captures a transformation two decades in the making. Port 25 remains the standard channel for server-to-server email delivery, but for individual users, it's been systematically blocked by ISPs worldwide. Understanding why requires understanding what happened when the Internet's early trust model met the reality of scale.

What SMTP Actually Does

Simple Mail Transfer Protocol (SMTP) moves email across the Internet. When you send a message, SMTP handles the journey from your mail server to the recipient's—potentially hopping through intermediate servers along the way.

The protocol is refreshingly direct: a sending server connects to a receiving server, identifies itself, specifies sender and recipient, and transmits the message. The receiving server accepts it, rejects it, or forwards it closer to the destination. That's it. SMTP has worked this way since 1982.

The Original Design: Trust as Default

Port 25 was assigned to SMTP in 1982, making it one of the oldest port assignments still in use. For decades, it served double duty: server-to-server relay and user submission. Anyone could connect to port 25, hand off a message, and the server would attempt delivery. No credentials required.

This wasn't naive—it was intentional. The early Internet was small enough that accountability existed through community. If someone abused the system, you could track them down. Mail servers acted as helpful neighbors, passing messages along toward their destinations without demanding identification.

Then the Internet grew. And the neighbors changed.

What Broke

By the early 2000s, the majority of email traffic was spam. Spammers had discovered they could connect directly to mail servers on port 25 and blast millions of messages without authentication or accountability. Compromised home computers—infected with malware—became spam cannons, connecting to port 25 on mail servers worldwide.

The trust model that worked for a village failed for a city. The open door became an open wound.

Why ISPs Block Port 25

Today, most residential ISPs block outbound connections on port 25. The blocking happens at the network edge: your computer simply cannot establish a TCP connection to port 25 on external servers.

The target is malware. When a computer gets infected, one of the first things the malware often tries is sending spam directly to mail servers on port 25, bypassing the ISP's legitimate mail infrastructure. Blocking port 25 prevents compromised machines from becoming spam distribution nodes.

This single measure dramatically reduced spam originating from infected home computers and botnets. It's blunt, but it works.

Business-class connections often don't include this restriction—legitimate businesses may need to run their own mail servers. But for residential users, port 25 is effectively off-limits for outbound connections.

The Replacement: Ports 587 and 465

As port 25 became blocked for end users, email infrastructure evolved to separate two functions that had been conflated: message submission (users sending mail) and message relay (servers forwarding mail to each other).

Port 587 handles submission. Designated for this purpose in 1998, it's where your mail client—Outlook, Apple Mail, Thunderbird—connects to send outgoing messages. Unlike port 25, port 587 requires authentication. You prove who you are before the server accepts your mail. This creates accountability.

Modern servers expect STARTTLS on port 587, which upgrades the connection to encrypted. Your credentials and message content travel protected.

Port 465 uses implicit TLS—encryption from the moment of connection, rather than upgrading mid-conversation. It was briefly deprecated, then quietly brought back because people kept using it. Both ports accomplish the same thing: authenticated, encrypted message submission.

Most mail services support both. Port 587 with STARTTLS is the more common recommendation, but port 465 works fine.

Port 25 Isn't Dead—Just Specialized

Server-to-server delivery still happens on port 25. When Gmail needs to deliver your message to Outlook.com, your submission might use port 587—but Gmail's servers connect to Outlook's servers on port 25.

Organizations running their own mail servers keep port 25 open for incoming mail from the broader Internet, even while blocking their own users from sending through it.

The security gap on port 25 is now addressed differently. SPF (Sender Policy Framework) lets domains declare which servers may send on their behalf. DKIM (DomainKeys Identified Mail) adds cryptographic signatures. DMARC (Domain-based Message Authentication, Reporting, and Conformance) ties them together with policy enforcement. These technologies help receiving servers verify that mail actually comes from who it claims to come from.

What This Means for You

If you're setting up email on a new device or troubleshooting delivery issues: use port 587 with STARTTLS, or port 465 with implicit TLS. Enable authentication. Don't bother trying port 25—it's almost certainly blocked, and even if it weren't, legitimate mail servers won't accept unauthenticated submission anymore.

Port 25 remains the backbone of server-to-server email delivery. But for users, it's a door that closed years ago. The replacement—authenticated submission on 587 or 465—is more secure, more accountable, and actually works.

The Internet grew up. Port 25 is how we can tell.