SMTP Submission Ports: 25 vs 465 vs 587

The three ports at a glance

Port 25: server-to-server relay

Mail Transfer Agents (MTAs) talk to each other on port 25. The receiving server has an MX record pointing at its hostname; the sending server resolves that and connects on port 25. STARTTLS is used opportunistically — both sides advertise support, and TLS upgrades if available, but falls back to plaintext if not.

Authentication on port 25 is unusual; the sender's identity is established by SPF/DKIM/DMARC rather than by SMTP AUTH. Senders aren't logging into the receiver — they're delivering mail and trusting the receiver to verify the claimed sender against authentication records.

Outbound port 25 is widely blocked by ISPs to suppress spam from compromised hosts. End-user devices and applications should not use port 25 for outbound mail.

Port 587: submission

RFC 6409 defines port 587 as the submission port. Mail clients (Thunderbird, Apple Mail, Outlook) and applications (your web server's email-sending code, transactional mail) connect on 587 to their own mail provider's outgoing server.

Submission requires authentication. The client logs in with username and password (or modern equivalents like XOAUTH2). The provider's server accepts the mail and then relays it to the recipient's MX on port 25.

Modern submission requires STARTTLS — the connection starts in cleartext, immediately upgrades to TLS before any credentials are exchanged. Most providers refuse plaintext AUTH on 587 entirely.

Port 465: implicit TLS submission (SMTPS)

Port 465 has a complicated history. It was originally allocated for SMTPS (SMTP over SSL), then deprecated in favor of STARTTLS on 25/587, then quietly re-emerged in the 2000s, and finally re-blessed by RFC 8314 in 2018 as the recommended way to do implicit TLS submission.

The difference from 587: on 465, the TLS handshake happens immediately when the TCP connection opens — there's no plaintext phase at all. On 587, the connection starts in cleartext and upgrades via STARTTLS.

Functionally, both achieve encrypted authenticated submission. 465 has a marginal security advantage (no plaintext negotiation, no STARTTLS-strip attack risk on the submission path) and is increasingly preferred for new deployments.

What clients should use

• Mail clients (Thunderbird, Apple Mail, Outlook): 587 with STARTTLS, or 465 with implicit TLS. Both work.
• Transactional applications (web server sending password resets): same as above; pick what your library supports.
• Mail servers relaying to other providers (smarthost setup): 587 or 465 with credentials, depending on the upstream provider's preference.
• Direct delivery from an authoritative MTA: port 25 to the recipient's MX.

The plaintext port 25 problem

An end user configuring their email client to use port 25 is usually doing something wrong:

• If their ISP blocks 25 outbound, the connection fails entirely.
• If 25 is open, the client connects directly to recipients' MX servers — and their PTR, SPF, and DKIM all reflect the home IP, which has no reputation. Mail goes to spam.
• The user has no auth — their identity is unverified by the receiver.

The correct pattern is submit-to-provider-on-587 and let the provider relay over 25 with proper identity and reputation.

Port 465 vs 993 vs 995

Don't confuse submission ports with retrieval ports:

Implementing submission

If you run a mail server, you typically expose 587 and 465 to authenticated clients. Configuration in major MTAs:

• Postfix: master.cf has submission (587) and smtps (465) entries. Enable both.
• Exim: conditional config based on listening port.
• SaaS mail providers: handle automatically.

Make sure SMTP AUTH is required, STARTTLS is enforced on 587, implicit TLS is used on 465, and weak ciphers are disabled. Port 25 stays open without auth for inbound relay from other servers.

Firewall implications

For an office or home network:

• Outbound 25: typically blocked by ISP; can be allowed for outbound mail server traffic if you operate one.
• Outbound 587 / 465: should be allowed for mail client submission.
• Inbound 25: only if you run an authoritative MX on premises.
• Inbound 587 / 465: only if you host the submission service yourself.

Frequently Asked Questions

What is the difference between port 25 and port 587?

Port 25 is for server-to-server mail relay between Mail Transfer Agents. Port 587 is for client-to-server mail submission by end users or applications. Most ISPs block outbound port 25 from residential and many business connections; port 587 is unblocked because it requires authentication. They serve different roles in the mail flow and have different security expectations.

What is port 465 for?

Implicit TLS submission. The connection is TLS-encrypted from the very first byte, with no plaintext negotiation. Port 587 by contrast starts in cleartext and upgrades via STARTTLS. Port 465 was deprecated in the late 1990s, undeprecated more recently, and is now formalized as SMTPS in RFC 8314. Both 587 and 465 are acceptable for submission today.

Why is port 25 often blocked?

To prevent compromised home computers from sending spam directly. If outbound port 25 is open from every residential connection, malware can use the connection as a spam relay. ISPs block outbound 25 by default and require legitimate mail senders to use authenticated submission on 587/465 or to apply for an exemption.

Should I use 465 or 587?

Either is fine. RFC 8314 recommends 465 (implicit TLS) for new deployments because it's slightly more secure — no plaintext phase, no STARTTLS strip attack — but 587 with mandatory STARTTLS is essentially equivalent in practice. Pick whichever your client supports best. Some older clients only support 587.

What is the difference between submission and relay?

Submission is when an end user or application sends mail to its own provider's outgoing server — authenticated, on ports 587 or 465. Relay is when servers pass mail between providers — unauthenticated (modulo SPF/DKIM), on port 25. The same SMTP protocol is spoken on both, but the security model differs: submission requires login; relay does not.