Port 587 carries your voice into the world. Every email you compose, every message you send from your phone in a coffee shop or your laptop in a hotel room, passes through this door. It is the submission port, the place where your words first touch the mail system, and it will not let you speak until you prove who you are.
What Port 587 Does
When you click "Send" on an email, your mail client connects to port 587 on your email provider's server. This is the Message Submission Agent (MSA), and its job is to accept email from authenticated users and hand it off to the mail delivery system.1
The protocol is ESMTP (Extended Simple Mail Transfer Protocol) with two critical additions: authentication and encryption. Before the server accepts a single byte of your message, it demands credentials. Username. Password. Proof that you are who you claim to be.2
This is fundamentally different from port 25, where mail servers talk to each other. Port 25 is for relay, the passing of messages between systems. Port 587 is for submission, the moment a human (or their software) introduces a new message into the global mail network.3
The Problem It Solved
To understand why port 587 exists, you need to understand what email looked like in the 1990s.
When SMTP was designed in 1982, the Internet was a network of universities and research institutions. Everyone knew everyone. Trust was assumed. Mail servers were configured as "open relays" by default, meaning any computer on the Internet could connect and ask them to deliver mail to anyone, claiming to be anyone.4
This worked beautifully until it didn't.
By the mid-1990s, spam had arrived. Companies like Cyber Promotions discovered they could connect to any mail server on the Internet, claim to be anyone, and send thousands of advertisements through that server's resources. The server would dutifully relay their junk to every address on the list. The spammers paid nothing. The server owners paid for the bandwidth, the storage, and the hours spent cleaning up the mess.5
The open relay problem was an existential crisis for email. Over 90% of mail servers were configured to accept mail from anyone for delivery to anyone. Spammers exploited this relentlessly, hopping from server to server, saturating connections, and leaving chaos in their wake.6
Something had to change.
The RFC That Changed Everything
In December 1998, Randall Gellens of QUALCOMM and John Klensin of MCI published RFC 2476: Message Submission.7
Their insight was elegant: email has two distinct functions that had been conflated. There is relay, where mail servers pass messages to each other on their journey to the destination. And there is submission, where a user introduces a new message into the system.
These are different operations with different trust requirements. When one mail server talks to another, they're both part of the infrastructure. When a user submits a message, they're coming from the outside. They should prove who they are.8
RFC 2476 designated port 587 for message submission and required authentication. If you want to send mail through this port, you must first prove your identity. No more anonymous injection of messages into the mail system.9
John Klensin went on to serve as chair of the Internet Architecture Board from 2000 to 2002, and has authored or co-authored over 60 RFCs. Randall Gellens continued contributing to email standards, including the emergency communications protocols that route 911 calls.10 The submission specification they created has been updated twice: RFC 4409 in 2006, and RFC 6409 in November 2011, which remains the current standard (STD 72).11
How It Actually Works
When your email client connects to port 587, a conversation begins:
-
The greeting: Your client sends
EHLOto identify itself and request the Extended SMTP feature list. -
Encryption negotiation: The server responds with its capabilities, including
250-STARTTLS. Your client issues theSTARTTLScommand, and both sides upgrade the connection to TLS encryption. Everything from this point forward is encrypted.12 -
Authentication: Now comes the critical step. The server advertises
250-AUTHwith a list of supported authentication mechanisms (PLAIN, LOGIN, CRAM-MD5, and others). Your client sends your credentials. The server verifies them against its user database.13 -
Message submission: Only after successful authentication does the server accept your message. You provide the envelope (sender and recipients), then the message itself.
-
Handoff: The MSA validates your message, potentially adding headers, and hands it to the Mail Transfer Agent for delivery via port 25.
The STARTTLS upgrade is called "opportunistic TLS" because the connection starts in plaintext and upgrades to encrypted. This was a pragmatic choice in 1998 when not all systems supported TLS. In 2018, RFC 8314 declared cleartext obsolete and recommended Implicit TLS (where encryption starts immediately) as the preferred approach.14
The Traveler's Port
One of the explicit motivations in RFC 2476 was supporting "off-site submission by authorized users such as travelers."15
Before port 587, sending email while traveling was a nightmare. You'd connect to a hotel's WiFi, try to send an email through your home mail server on port 25, and nothing would happen. The network was blocking port 25 to prevent spam. Or your home server was rejecting you because your IP address wasn't in an authorized range.
Port 587 with authentication solves this elegantly. It doesn't matter where you are. It doesn't matter what network you're on. If you can prove who you are, you can send mail. Your identity travels with you.16
This is why port 587 is rarely blocked by ISPs and network operators. Port 25 is often blocked to prevent compromised computers from spewing spam, but port 587 requires authentication. The risk profile is completely different.17
Security Considerations
Port 587 is more secure than port 25 for submission because it requires authentication, but it's not without vulnerabilities.
STARTTLS stripping: Because the connection starts in plaintext before upgrading to TLS, an attacker who can intercept traffic can prevent the upgrade by suppressing the STARTTLS command. The conversation then proceeds unencrypted. This is why RFC 8314 recommends Implicit TLS on port 465 as the more secure option.18
Credential exposure: If STARTTLS fails or is stripped, authentication credentials can be transmitted in plaintext. Modern clients should refuse to authenticate over unencrypted connections, but misconfigured systems may not enforce this.19
Server software vulnerabilities: Mail servers like Exim have had serious vulnerabilities. CVE-2019-10149 affected Exim versions 4.87 through 4.91 and was actively exploited. The NSA issued an advisory urging administrators to patch immediately.20
Open submission ports: If an MSA is misconfigured to allow submission without authentication, attackers can use it to send spam while impersonating legitimate users.21
The fundamental security improvement of port 587 is accountability. Every message can be traced back to an authenticated user. This doesn't prevent all abuse, but it makes abuse traceable.
Related Ports
| Port | Protocol | Purpose |
|---|---|---|
| 25 | SMTP | Mail relay between servers. The original SMTP port from 1982. Often blocked for residential users. |
| 465 | SMTPS | Implicit TLS submission. Originally deprecated in 1998 when STARTTLS was standardized, but reinstated in RFC 8314 as the preferred secure submission port. |
| 587 | Submission | Message submission with STARTTLS. The standard since 1998, required by RFC 6409. |
| 2525 | Unofficial | Alternative submission port when 587 is blocked. Not officially assigned but widely supported. |
| 110 | POP3 | Mail retrieval (download and delete). |
| 143 | IMAP | Mail retrieval (keep on server). |
| 993 | IMAPS | Encrypted mail retrieval. |
The Weight of What It Carries
Port 587 carries the first words of every email you send into the world.
The job application that changed your career. The message to your parents when you moved across the country. The late-night note to a friend going through something hard. The work email you agonized over. The quick reply you sent without thinking.
Before any of those words could travel, port 587 asked: "Who are you?" And only after you answered did it let your voice through.
This is the difference between a door that stands open and a door that asks your name. The open door was exploited by those who had nothing to say worth hearing. The door that asks your name returns accountability to speech.
Email is still the most universal communication protocol on the Internet. It works across every provider, every platform, every device. And port 587 is the threshold where your messages first touch that global system, authenticated and accounted for.
Every time you send an email from any device, anywhere in the world, you're using technology that two engineers designed in 1998 to solve a spam crisis. They saw that the honor system had failed and built a door that asks who you are before letting you speak.
Port 587. The submission port. The door that asks your name.
Frequently Asked Questions
Was this page helpful?