A Basic Overview of SMTP Ports
SMTP stands for Simple Mail Transfer Protocol, the standard protocol for sending email across the Internet.
To send mail via SMTP, an email client or server connects to an SMTP server on a remote domain, often the email provider’s mail server. This allows the message to be relayed to the correct recipient.
To facilitate these SMTP connections, email servers listen on specific TCP ports:
- Port 25: The standard SMTP port. This is the default port used for SMTP mail transmission.
- Port 587: The SMTP submission port. Used for encrypted mail transmission.
Key Takeaways
- Port 25 is the standard SMTP port, but many ISPs block it for outbound mail due to spam. Port 587 is the submission port recommended for most users today.
- Port 587 uses SSL/TLS encryption by default, while port 25 does not, making it more secure.
- Large email servers and services often still need port 25 to send high volumes of mail efficiently. But for individuals and smaller organizations, 587 is usually better.
A Head to Head Comparison Between Port 25 vs Port 587
| Feature | Port 25 | Port 587 |
|---|---|---|
| Purpose | Traditional SMTP port for email transmission | Recommended port for submitting emails securely |
| Encryption | Generally used for unencrypted email communication | Supports encryption protocols like STARTTLS |
| Security | Lower security, more susceptible to email spoofing and interception | Higher security, helps prevent email spoofing and interception |
| Authentication | Limited authentication options | Supports stronger authentication methods |
| Firewall Restrictions | Often blocked by firewalls due to security concerns | Less likely to be blocked by firewalls |
| Email Delivery Reliability | May experience higher delivery failure rates | Generally more reliable email delivery |
| Email Server Configuration | Simpler configuration, but less secure | Requires additional configuration for encryption |
| Email Client Support | Widely supported by email clients | Also widely supported, but may require additional setup |
| Compliance | May not meet compliance requirements for secure email communication | Better suited for compliance with security standards |
| Recommended Use | Legacy email systems, internal email communication | Recommended for modern, secure email communication |
Port 25: The Standard SMTP Port
Port 25 is the original SMTP port defined in the SMTP RFC documents. Before encryption became common, port 25 was used for all SMTP mail flows, both incoming and outgoing.
Even today, port 25 is still the standard TCP port used for SMTP mail transmission between email servers. When you send a message to an email address on another domain, your mail server will attempt to connect to the destination mail server on port 25 to deliver the message.
However, there are some downsides to using port 25 for outbound mail from clients:
- No encryption: Communication over port 25 is usually unencrypted. This means emails and credentials are exposed.
- Prone to blocking: Many ISPs now block outbound connections to port 25 to limit spamming.
- No authentication: There is no authentication required on port 25 by default.
For these reasons, port 25 is no longer recommended for most end users sending mail. However, larger email providers may still need direct access to port 25 to send high volumes of outbound messages efficiently.
Port 587: The SMTP Submission Port
Port 587 was introduced later to provide a better-secured and more reliable alternative SMTP method. It’s defined in RFC 6409 as the SMTP submission port.
Some key advantages of using port 587 over 25 include:
- Encryption: Connections use SSL/TLS by default to encrypt traffic.
- Authentication: The SMTP server requires valid credentials to send mail.
- Not blocked: ISPs generally do not block outbound port 587 due to improved security.
- Ideal for clients: Port 587 is perfect for email clients to send mail via SMTP securely.
For these reasons, port 587 has essentially replaced port 25 for end users and smaller organizations that need to send mail from their domains. It provides a much more reliable and secure SMTP option compared to 25.
When to Use Port 25 vs. 587
- For individual users and smaller organizations, port 587 should be used for outgoing mail. This will provide the best security and avoid blocked connections.
- For large email providers sending high volumes of mail, using port 25 may still be required for performance and efficiency. But connections should be restricted and secured.
- For incoming mail, email servers will still need to listen on port 25. But where possible, enable additional security like TLS encryption.
Some specific use cases:
- Sending from a desktop email client: Use port 587 with SSL enabled. Common for programs like Outlook or Thunderbird.
- Sending from a web application: Have the app connect to port 587 of your SMTP server to relay mail. This requires SMTP authentication.
- Self-hosted mail server: Listen on port 25 for inbound delivery. Connect to port 587 of your ISP’s SMTP server for outgoing mail.
- Third-party mail services: Services like SendGrid allow you to relay mail with credentials through their SMTP servers on port 587.
- Cloud email providers: Providers like G Suite and Office 365 will handle all port 25 connections internally to deliver your mail.
Ports 25 and Port 587: Differences in Security
One of the main differences between port 25 and 587 is encryption.
Port 25 does not use encryption by default. Communication is done in plain text, which means emails and login credentials are exposed during transmission over port 25.
Port 587 uses implicit TLS encryption to secure connections by default. With TLS, all traffic is encrypted between the two servers, protecting your data and credentials as mail is sent.
However, there are ways to add encryption when using port 25:
- STARTTLS: This activates encryption after the SMTP connection is established. Supported by most modern mail servers.
- SMTPS: Connect directly over SSL on port 25 through a secure socket. But not widely supported.
- VPN Tunnels: Use a VPN to encrypt traffic between mail servers.
These help improve security for port 25 connections. However, they add complexity compared to the default encryption on port 587.
Requirements for authentication also differ. Port 25 does not inherently require credentials to send mail. But with port 587, the server will require authentication using a username and password before allowing outbound mail transmission.
This verifies the sending identity and prevents unauthorized use for spamming. Overall, 587 has much stronger security defaults than 25.
Mail Server Configurations between Ports 25 and Port 587
On email servers, both ports 25 and 587 will need to be properly configured depending on the server’s role.
For servers focused on receiving incoming mail:
- Listen on port 25 for inbound delivery from external domains.
- Use DNS records like MX and A to help routing.
- Enable security features like TLS, DKIM, DMARC, and reverse DNS.
For servers focused on relaying outgoing mail:
- Listen on submission port 587 for outbound mail.
- Require SMTP authentication to verify identities.
- Connect to remote domain SMTP servers on port 25 for message delivery.
- Use TLS encryption to secure submission connections.
For servers handling both directions:
- Listen on port 25 for inbound delivery.
- Listen on port 587 for outbound mail with authentication.
- Configure optimal DNS and security settings.
- Port 25 should only allow relaying from trusted IP ranges.
Proper server configuration helps maximize security and deliverability for both port 25 and 587.
SMTP Ports for Email Providers
If you use a third-party email provider like Gmail or Office 365, you don’t need to worry about SMTP ports.
These hosted email services will handle all port 25 communications internally on your behalf. For sending mail, they’ll provide an SMTP submission server for clients to connect to on port 587 using SSL and credentials.
For example, here are the outbound SMTP settings for some common email providers:
- Gmail: smtp.gmail.com:587
- Outlook.com: smtp.office365.com:587
- Yahoo Mail: smtp.mail.yahoo.com:587
- Fastmail: smtp.fastmail.com:587
This takes care of the SMTP complexities and security for you. Just plug their details into your email client and authenticated SMTP will work via 587.
How to Check Your SMTP Port Connectivity
You can check whether specific SMTP ports are reachable from your network using utilities like telnet:
> telnet smtp.gmail.com 587
Trying 64.233.165.109...
Connected to gmail-smtp-msa.l.google.com.
Escape character is '^]'.
220 smtp.gmail.com ESMTP 12sm27795603wru.14: gsmtp
This verifies you can connect to Gmail’s SMTP server on port 587.
If your ISP blocks port 25, the connection will fail:
> telnet smtp.gmail.com 25
Trying 64.233.165.109...
telnet: Unable to connect to remote host: Connection timed out
This helps diagnose issues if you can’t send mail due to blocked ports or connectivity problems.
Final Thoughts
In summary, while both port 25 and port 587 are used for email communication, they serve distinct purposes. Port 25 is the traditional SMTP port, often used for unencrypted email transmission, whereas port 587 is the recommended port for submitting emails securely using encryption protocols like STARTTLS.
The use of port 587 is generally preferred as it provides an additional layer of security and helps prevent potential email spoofing or interception. Understanding the differences between these two ports is crucial for configuring email clients and servers to ensure reliable and secure email communication.
Frequently Asked Questions about SMTP Ports 25 and 587
Do ISPs block port 25?
Many major ISPs block outbound connections to port 25 to help limit spam and abuse. Some exceptions are made for legitimate large-scale mail servers, but port 587 is usually open.
What is the difference between port 25 and port 587?
Port 25 is the original standard SMTP port, which does not use encryption. Port 587 is designated for SMTP submission and uses implicit TLS encryption and authentication.
Is port 25 or 587 more secure?
Port 587 is much more secure due to mandatory encryption and login requirements. Port 25 does not have encryption by default, though it can be added.
When should I use port 25 vs port 587?
Use 587 for clients and servers focused on outbound mail. Use 25 for inbound delivery and communication between high-volume mail servers.
Can port 25 use encryption?
Yes, options like STARTTLS and SMTPS can add encryption to port 25 connections, but this is not the default behavior.
Do I need to configure SMTP ports if using Office 365?
No, cloud providers like Office 365 handle all SMTP port connections internally. You need to use their provided submission server.
How do I test SMTP port connectivity?
You can use the telnet command line utility to test connections to SMTP servers on ports 25 and 587. This helps identify issues.
What are common SMTP ports for popular email providers?
Most major providers use submission port 587 with SSL for outbound mail from clients: e.g., Gmail: 587, Outlook.com: 587, Yahoo: 587.
Priya Mervana
Verified Web Security Experts
Priya Mervana is working at SSLInsights.com as a web security expert with over 10 years of experience writing about encryption, SSL certificates, and online privacy. She aims to make complex security topics easily understandable for everyday internet users.
