Although port 587 is the standard port for secure SMTP email transmission, older systems sometimes rely on ports 25, 465, or 2525.
After reading this article you will be able to:
Copy article link
Originally, the Simple Mail Transfer Protocol (SMTP) used port 25. Today, SMTP should instead use port 587 — this is the port for encrypted email transmissions using SMTP Secure (SMTPS).
Port 465 is also used sometimes for SMTPS. However, this is an outdated implementation and port 587 should be used if possible. Finally, some email service providers also support SMTP on port 2525 as a backup in case these other ports are blocked by a network provider or a firewall.
SMTP is the protocol, or set of rules for formatting data, that helps emails travel across the Internet. It transfers emails from mail server to mail server until they reach their final destination. At that point, other protocols are used to retrieve the emails and allow users to read them.
Most networking protocols (like SMTP) are designed to go to a specific port. In networking, a port is a virtual location within a computer.
A port is somewhat like a mail slot in a large building, with each mail slot belonging to a different resident within the building. Addressing mail to the entire building does not ensure delivery, as the wrong resident might receive the mail and discard it. Instead, mail has to be addressed to the specific mail slot owned by the addressee. Similarly, a computer may not know what to do with network data that does not indicate a port. But the computer can receive data directed at a specific port and pass it to the correct application or process.
An SMTP port is the port designated for use by SMTP — as stated above, this has been ports 25, 465, 587, and 2525 at various times and in various situations.
SMTPS is more secure than regular SMTP because it encrypts emails, authenticates emails, and prevents data tampering. It does these three things by using the Transport Layer Security (TLS) protocol.
The official default port for SMTPS is port 587. SMTPS connections start with a "STARTTLS" command to let the mail server know that the SMTP traffic will be sent over TLS.
In the 1990s, some email service providers began to use SMTPS with Secure Sockets Layer (SSL), which was the original version of TLS that has now been deprecated. They designated port 465 for this purpose, even though no official Internet bodies had sanctioned such use of that port. (Port usage is standardized to ensure communication is possible between diverse computers and networks.) This is why port 465 is sometimes still used for email — despite the fact that this port is nonstandard.
While SMTPS is more secure and private than using no encryption or authentication, it only encrypts emails as they move from sender to mail server and between mail servers. A mail server on an email's path receives the email in unencrypted form before re-encrypting it to pass it to the next server. This is like if a postal service transferred the contents of an envelope to a new envelope as it passed through each post office, leaving the envelope's contents briefly exposed.
Some email senders prefer to use end-to-end encryption (E2EE). E2EE ensures that only the sender and the recipient of an email can view it in decrypted form. It keeps email contents private from all intermediaries, including the mail servers on the email's path. This process is similar to an envelope that remains sealed until it reaches the addressee.
SMTPS does not enable E2EE. Instead, protocols like Pretty Good Privacy (PGP) or Secure/Multipurpose Internet Mail Extensions (S/MIME) can be used for E2EE. To learn more, see What is email encryption?
While SMTP sends emails, the Post Office Protocol (POP3) and Internet Message Access Protocol (IMAP) retrieve them, enabling recipients to read or download them. Much like SMTP, these protocols have both encrypted (via TLS) and unencrypted versions:
Some email services offer SMTP delivery over port 2525 in case the above ports are blocked. However, this port is not standard for email and is not officially associated with SMTP.
Some servers do not support all versions of SMTP and the other email protocols — for instance, older services may not be configured to receive TLS-encrypted traffic at port 587. Additionally, network administrators sometimes deny access to these ports to block attack traffic and spam, or to stop users from running their own mail servers.
While blocking port 25 or other email ports may prevent some spam and phishing attacks, malicious and unwanted emails are still likely to get through. Sophisticated business email compromise (BEC) attacks, in particular, are often well-disguised within acceptable email traffic. To counteract this, Cloudflare Area 1 Email Security stops sophisticated email-based attacks by detecting threats in advance. Read more about Cloudflare Area 1 Email Security.