Which SMTP Port Should I Use: Port 25, 465, 587 or 2525?
People configuring an app or mail system to send (or relay) email often have a common question: “What SMTP port should I use?” You might see information that tells you to use ports 25, 465, 587, or 2525 for SMTP relay. So, which of these should be your standard SMTP port? Here’s what you need to know, and why.
What is an SMTP port?
SMTP (Simple Mail Transfer Protocol) is the basic standard that mail servers use to send email to one another across the internet. SMTP is also used by applications such as Apple Mail or Outlook to upload emails to mail servers that then relay them to other mail servers. (On the other hand, mail apps typically rely on other standards such as IMAP or POP3 to retrieve emails from servers.)
Like other Internet services such as web sites, SMTP email relies on domain names and Internet addresses to know where to send messages. All of us today are familiar with the textual version of these addresses, like www.sparkpost.com. Most of us know that the text address stands in for a numeric IP address like 188.8.131.52. But not as many of us know that these network addresses also include specific “port numbers.” An “SMTP port” refers to the specific part of the Internet address that’s used to transfer email.
The web and HTTP use port number 80. For email and SMTP, that port number is… well, it depends.
How Is SMTP Different From SSL and TLS?
Both technologies facilitate email sending. While SMTP could be the muscle and bones of the process, Secure Sockets Layer (SSL) forms the skin to keep your email secure. SSL works with any available port.
SSL was the go-to standard security protocol for common email ports in the not-too-distant past. With the adoption of its new-and-improved descendent, Transport Layer Security (TLS), electronic communications became even more secure.
While both protocols create a private channel between the sending and receiving computer to secure transmissions, TLS offers more alerts than its ancestor and can execute more hash functions to enhance encrypted communication. Today, many emails use the most up-to-date convention, STARTTLS, which combines with either SSL or TLS protocols for maximum security.
The SMTP protocol on its own is not as secure as it could be. Using the transfer method in conjunction with one of the security protocols provides more encryption protection. For sending email, SSL and other protocols enhance the SMTP transmission.
How can you find out what your SMTP port is?
If you are subscribed to a hosted email relay service you can get the SMTP server hostname and port number from the support page of your email service.
If you run your own SMTP server you can find the configured SMTP port number and address from the SMTP server configuration. In PowerMTA you can find that information from the configured “smtp-listener” directive within the config file. The config file can be found in /etc/pmta/config on a Linux server and C:\pmta\config.dat on Windows Server.
smtp-listener 10.0.1.22:587 # listens on port 587 and IP 10.0.1.22
Which port should you use for SMTP?
Ports 25, 465, 587, or 2525 for SMTP have all been considered standard SMTP ports at some point, but only 587 or 2525 really should be considered for modern use.
If you’re configuring your systems to use SparkPost as an SMTP relay, you should use port 587 as your standard SMTP port, with 2525 as an alternate in case port 587 is not available.
I’ll explain why as we run through the different ports commonly used for sending email today.
Port 25: The original standard SMTP port
Port 25 is the original standard email SMTP port and the oldest, since it first debuted in 1982. Today, the Internet Assigned Numbers Authority (IANA), the group responsible for maintaining the internet addressing scheme, still recognizes port 25 as the standard, default SMTP port. SMTP was designated to use port 25 in IETF Request For Comments (RFC) 821. But in practicality, it’s not as simple as it seems.
Although port 25 continues to be used for server-to-server SMTP relaying, most modern SMTP clients should not be configured to use this port. Port 25 is usually blocked by residential ISPs and business cloud hosting providers alike because it earned a bad reputation as the preferred port for spammers sending massive quantities of unsolicited communications.
Why is port 25 usually blocked? How can you check if it is?
Port 25 is blocked on many networks to curb the amount of spam that is relayed from compromised computers or servers. Unless you’re specifically managing a mail server, you should have no traffic traversing this port on your computer or server.
To check if port 25 is blocked by an ISP:
If you are using Windows, open up your command prompt. If you are using a Mac, open up your Terminal. And, if you are using Linux, open up your Terminal emulator.
Type the following command: telnet examplemailserver.com 25
If port 25 is not blocked, you should receive a message like this one:
user@localhost:~# telnet gmail-smtp-in.l.google.com 25 Trying 184.108.40.206... Connected to gmail-smtp-in.l.google.com. Escape character is '^]'. 220 mx.google.com ESMTP 123si3448417qkd.359 - gsmtp
If you receive a message similar to the one below, port 25 is likely blocked:
telnet: connect to address XX.XX.XX.XX: Connection refused telnet: Unable to connect to remote host
When would you use port 25?
Port 25 is the default port for relaying email on the internet. However, you can specify any port number (Provided it is within the acceptable range of custom port numbers) for submitting emails to your SMTP server.
There are special cases when you must use port 25 on your SMTP server. One of such cases is to receive out of band/asynchronous bounces. This kind of bounces happen after the fact. This means the recipient domain accepts a message from your SMTP server but later bounces the message. Out of band bounces are sent asynchronously to the return path (MAIL FROM) address of the original message. The recipient domain will attempt to send these bounces to the MX server of the return path address and on port 25 (Because port 25 is the default port for relaying email on the internet). Another example is to receive FeedBack Loops (FBL).
You can enable port 25 for receiving messages on a PowerMTA server by configuring the “smtp-listener” directive
smtp-listener 10.0.1.22:25 # listens on port 25 and IP 10.0.1.22
Port 465: Deprecated and out-of-date SMTP port
Port 465 is no longer an accepted standard for SMTP. However, there are some legacy systems that still use port 465 for SMTP, and some help pages on the internet still suggest port 465 as the recommended setup. The port gained redundancy in the late 1990s but still relies on the passive implicit SSL method for establishing secure transmission. Our advice? Don’t do it unless your application absolutely requires it.
IANA initially assigned port 465 for an encrypted version of SMTP called SMTPS. Initially, it was proposed to send emails using the Secure Sockets Layer (SSL). However, IANA has since reassigned this port for a different use, so it should no longer be used for SMTP. This is why SparkPost does not accept connections on port 465.
Port 587: The standard secure SMTP port
Modern email servers use port 587 for the secure submission of email for delivery. For example, if you use an email client software like Outlook or Apple Mail, it most likely is configured to use this port to send your messages. It’s not just personal email client software, however. Systems that transmit messages to an email delivery service like SparkPost also should be configured to use this port.
All SparkPost customers should use port 587 as default, unless you’re explicitly blocked by your upstream network or hosting provider. Using port 587, coupled with TLS encryption, is the best way to ensure that email is submitted securely and reliably to SparkPost (or nearly any other provider).
Port 2525: A common alternate SMTP port
Port 2525 is not an official SMTP port, and it is not sanctioned by the IETF nor IANA. However, SparkPost and many other email service providers support the use of port 2525 as an alternative to port 587 for SMTP, in the event the above ports are blocked. (One notable example where this is required is for services hosted on Google Compute Engine.) If you’ve tried port 587 but experience connectivity issues, try port 2525. Just like port 587, most implementations that listen on port 2525 also support TLS encryption.
Does SMTP Port Matter?
Aside from challenges with connectivity, you’ll find that using the incorrect port impacts deliverability. Email communication can only be effective when it finds its way between sender and receiver, and the right port ensures successful delivery
For the majority of users, your email provider will configure the ports for you so you don’t have to choose. For others, though, it’s important to understand that there are different functions assigned to various different ports, primarily broken down into submission and relay.
Submission and Relaying
Submission is the action of you turning over your freshly minted electronic communication to your outbox with your email service provider. If you and your provider are on different ports, this is where the process stops — your email won’t go any further. When on the same port, your mail server accepts the outgoing communication and shakes hands with the computer on the other end. When everything is secure and in agreement, the transmission takes place. That process is known as relaying.
What is an SMTP server?
An SMTP server is a computer that powers the protocol your email client uses when sending, receiving and/or relaying outgoing messages. As part of the process, an SMTP server verifies that a sender is allowed to send through the SMTP and, if the sender is allowed to send and the message is deemed undeliverable, the SMTP server will send it back to the MAIL FROM address. PowerMTA is one of the leading SMTP servers as it allows senders to adopt the latest authentication specifications for sending high volume emails and to comply with new authentication policies.
How to set up your SMTP server
When it comes to setting up an SMTP server there are two options to explore. You can subscribe to a hosted email relay service. SparkPost is a leading provider of email delivery and analytics service. Alternatively, you can setup your “on-premises” SMTP server for more granular control. An example is PowerMTA.
To stand up a PowerMTA server, contact firstname.lastname@example.org for installation package, license and installation instructions. All PowerMTA configuration is done within the config file which is found in /etc/pmta/config on a Linux server and C:\pmta\config.dat on Windows Server.
For a basic configuration of your SMTP server, there are a few considerations and steps to take.
What IP address and port number do you want your SMTP server to receive emails? Port 25 is the default port for email relaying. In PowerMTA you can change this default port number by editing the “smtp-listener” directive in the config file.smtp-listener 0/0:25 # listens on port 25 of all local IPs. You can also specify a CIDR range of IP addresses
smtp-listener 10.0.1.22:25 # listens on port 25 and IP 10.0.1.22
You must permit relaying of messages from your email client to your SMTP server. Your SMTP server should NEVER be an open relay. This means you must somehow selectively allow relaying. In PowerMTA there are a few ways to do this.You can authenticate with username and password. PowerMTA supports authentication with either LOGIN, PLAIN or the CRAM-MD5 mechanism for inbound connections. This is configured within the smtp-user and source stanza of the config file. For a user “foo” and password “barbaz”<smtp-user foo> password barbaz authentication-method password #certificate (TLS) or system(linux user) are other options </smtp-user> #Then require authentication at the source stanza <source 0/0> require-auth true </source>
You can also selectively allow relaying from a specific IP address or CIDR range. This would be the IP address of your email client.
<source 10.0.5.20> always-allow-relaying yes # allow feeding from 10.0.5.20 </source>
You can also set a recipient domain name/address (or pattern) for which PowerMTA will accept email.
# allow relaying of mail to some.domain relay-domain some.domain relay-address email@example.com relay-address /@foo(bar)?\.com$/ # regex pattern
Another consideration is if you want to securely relay emails from your email client to your SMTP server (Inbound TLS)? If your answer is yes then you must enable STARTTLS for inbound connections and configure a TLS certificate. In PowerMTA TLS is supported from TLSv1 to TLSv1.3.smtp-server-tls-certificate /etc/pmta/yourcert.pem #Enable TLS on inbound connections <source 0/0> allow-starttls true require-starttls-before-auth true #ensures authentication information is only sent over tls </source>
Do you want your SMTP server to securely deliver emails to remote servers (Outbound TLS)? In PowerMTA you have the option to use TLS if the remote server supports it or to enforce TLS and drop the connection if TLS is not supported by the remote server.<domain *> # (*) is a wildcard for all recipient domain use-starttls true #uses TLS if available require-starttls true #enforces TLS </domain>
Set the IP address and hostname from which your SMTP server is to initiate outgoing SMTP connections. In PowerMTA this is set with the smtp-source-host directive.smtp-source-host 192.168.0.10 mail10.yourserver.com #You can also specify CIDR range
Finally, one very unique feature of PowerMTA is the ability to separate your mail stream by building a multi-homed host. The VirtualMTA technology in PowerMTA allows users to define and control the source IP address, hostname and message delivery parameters for each mail stream. This allows for creating separate and specific campaigns, customers or departments, while still running just one instance of PowerMTA.
<virtual-mta mta1> smtp-source-host 220.127.116.11 mta1.yourserver.com <domain *> use-starttls true require-starttls true retry-after 10m </domain> </virtual-mta> <virtual-mta mta2> smtp-source-host 18.104.22.168 mta2.yourserver.com <domain *> use-starttls false require-starttls false retry-after 45m </domain> </virtual-mta>
When the basic setup is completed you can submit messages to your SMTP server configured hostname/IP and port number (10.0.1.22:25 in example above) and depending on how you permit email submission authenticate with the configured username (foo) and password (barbaz).
In summary, SMTP port 587 is the best choice for nearly every use case for connecting to SparkPost and other email delivery services.
I hope this information helped you learn a little more about which SMTP port to use!