Home / Guides / SMTP Ports

SMTP Ports Explained: 25, 465, 587

Which SMTP port should you use? Here's the definitive guide to port 25, 465, and 587 — when to use each and why it matters.

Quick answer

Use port 587 with STARTTLS. It's the standard for email submission from applications, supported by every major email provider, and works on all cloud platforms without special configuration.

SMTP port comparison

PortPurposeEncryptionAuth RequiredUse For
25Server-to-server relayOptional STARTTLSNoMTA relay only, not applications
465Submission (implicit TLS)TLS from startYesApplication email sending
587Submission (STARTTLS)Upgrades to TLSYesApplication email sending (recommended)
2525Alternative submissionSTARTTLSYesFallback when 587 is blocked

Port 25 — Server-to-server relay

Port 25 is the original SMTP port, defined in RFC 821 (1982). It's used for server-to-server email relay — when one mail server delivers email to another mail server.

Do not use port 25 for application email sending:

  • Most cloud providers (AWS, GCP, Azure, DigitalOcean) block outbound port 25 by default
  • Most ISPs block port 25 for residential connections
  • Port 25 doesn't require authentication, making it a spam vector
  • You'd need to request unblocking from your provider, which adds deployment friction

Port 587 — Submission with STARTTLS (recommended)

Port 587 is the standard for email submission from applications and email clients. Defined in RFC 6409, it requires authentication and supports STARTTLS encryption.

How STARTTLS works on port 587:

  • Client connects on port 587 (initially unencrypted)
  • Client sends EHLO, server responds with capabilities including STARTTLS
  • Client sends STARTTLS command
  • TLS handshake occurs — connection is now encrypted
  • Client authenticates and sends email over the encrypted connection

This is the port to use for virtually all application email sending.

Port 465 — Submission with implicit TLS

Port 465 uses implicit TLS — the connection is encrypted from the very first byte. There's no STARTTLS upgrade step. The client connects, performs a TLS handshake immediately, then proceeds with SMTP.

Port 465 was originally assigned for SMTPS in the 1990s, then deprecated, then re-standardized in RFC 8314 (2018). It's now a valid alternative to port 587.

Advantages over 587:

  • No opportunistic downgrade risk — TLS is mandatory from the start
  • Slightly faster — no STARTTLS negotiation step

Disadvantages:

  • Less widely supported than 587 in older systems
  • Some firewalls and proxies don't handle implicit TLS on 465

Port 2525 — Alternative submission

Port 2525 is an unofficial alternative for email submission. It works identically to port 587 (STARTTLS, authenticated) but is used as a fallback when port 587 is blocked by a firewall or ISP.

Some email providers offer 2525 as an option. It's not standardized in any RFC but is widely supported.

SMTP ports with RelayPost

RelayPost supports both standard submission ports:

PortEncryptionHost
587STARTTLSsmtp.relaypost.dev
465Implicit TLSsmtp.relaypost.dev

Use port 587 unless you have a specific reason to use 465. Both require authentication with your SMTP credentials from the RelayPost dashboard.

Related guides

Frequently asked questions

Which SMTP port should I use?

Use port 587 with STARTTLS for email submission from applications. This is the standard port for authenticated email sending and is supported by virtually all email providers. Port 465 with implicit TLS is also acceptable. Never use port 25 for application email — it's for server-to-server relay only.

What's the difference between port 465 and 587?

Port 587 uses STARTTLS — the connection starts unencrypted and upgrades to TLS after the EHLO handshake. Port 465 uses implicit TLS — the connection is encrypted from the first byte. Both are secure. Port 587 is more widely supported; port 465 was re-standardized in RFC 8314 (2018).

Is port 25 blocked?

Most cloud providers (AWS, GCP, Azure) and ISPs block outbound port 25 by default to prevent spam. You can request unblocking from your provider, but for application email, use port 587 or 465 instead.

Do I need TLS for SMTP?

Yes. Sending email without TLS means credentials and email content travel in plaintext. Always use STARTTLS (port 587) or implicit TLS (port 465). Modern email providers require TLS for authenticated connections.

SMTP that just works

Connect on port 587 or 465. Authentication, encryption, and delivery handled.

Get Started Free