SMTP port numbers control how email moves between clients, servers, and relays. Choosing the correct port and understanding its security implications is essential for reliable email delivery and compliance.
This guide explains standard SMTP ports, encryption behavior, and practical configurations you can apply to mail servers and applications.
| Port | Encryption | Protocol | Common Use |
|---|---|---|---|
| 25 | None by default | SMTP | Server-to-server relay, often blocked by cloud providers |
| 587 | STARTTLS or TLS | SMTP MSA | Message submission from clients with mandatory authentication |
| 465 | Implicit TLS | SMTP over SSL | Legacy submission port, still supported by many clients |
| 24 | STARTTLS or TLS | SMTP alternative | Non-standard port used to avoid filtering while maintaining security |
Port 25 Server Relay and Restrictions
Port 25 is the original SMTP port defined for mail servers to exchange email. System administrators use it for routing messages between mail transfer agents across the internet.
Many cloud providers and residential ISPs block outbound port 25 to curb spam and botnet traffic. As a result, direct usage of port 25 from edge servers often fails unless explicitly allowed by the hosting provider.
Port 587 Submission with Mandatory Encryption
Why 587 is preferred for client mail submission
Port 587 is designated as the official message submission port. It requires authentication and typically enforces STARTTLS or TLS before any mail data is transmitted, reducing the risk of credentials or content being sent in clear text.
Email clients and mobile apps should use port 587 whenever possible. It balances compatibility with modern security policies and is widely accepted by both on-premises and cloud mail servers.
Port 465 Implicit TLS for Legacy Clients
Compatibility considerations for older software
Port 465 was historically used for SMTP over SSL. Although IETF deprecated the implicit TLS model on this port, many servers still support it to ensure compatibility with legacy devices and applications.
If your mail client or device cannot negotiate STARTTLS, connecting via port 465 with native SSL/TLS provides a secure path for submission without relying on the upgrade mechanism.
Port 24 and Non-Standard Alternatives
When to consider alternative ports
Port 24 is an alternate SMTP port that follows the same protocol as port 25 but is less likely to be filtered by cloud and hosting environments. It can be used for encrypted relay when upstream policies restrict standard ports.
Organizations operating in tightly controlled networks sometimes choose non-standard ports to reduce noise from automated scans while maintaining similar protocol behavior and security profiles. p>
Operational Recommendations for SMTP Ports
- Prioritize port 587 for client email submission with enforced TLS.
- Use port 465 only for devices that cannot handle STARTTLS upgrades.
- Avoid relying on port 25 for authenticated submission from end-user clients.
- Monitor firewall rules and provider policies to ensure your chosen port remains allowed.
- Enable logging and alerts for TLS failures to quickly detect encryption issues.
- Test failover paths, such as port 24 or provider-specific endpoints, during maintenance windows.
FAQ
Reader questions
Should I use port 25, 587, or 465 for my mail server
Use port 587 for client submission whenever you can, since it enforces authentication and upgrades to TLS. Fall back to port 465 only for legacy clients that do not support STARTTLS. Reserve port 25 for server-to-server relay in environments where it is allowed and not blocked by your provider.
Is port 25 secure for sending email
Port 25 provides no encryption by default, so credentials and content can be exposed unless you add opportunistic TLS. Most modern deployments avoid relying on plain port 25 for any transmission that contains sensitive information.
Can I use port 465 with modern applications
Yes, many mail servers and clients still support port 465 for implicit TLS. While not recommended for new integrations, it remains a reliable choice when STARTTLS negotiation fails or device capabilities are limited.
What happens if outbound 587 is blocked in my network
Check with your hosting or cloud provider to open port 587 for authenticated submission. If that is not possible, consider negotiating with the network team to allow port 587 as an exception specifically for mail traffic, which is generally easier to justify than allowing generic outbound SMTP.