What SMTP port should be used? Port 25 or 587?

What SMTP port should be used?

Originally, the Simple Mail Transfer Protocol (SMTP) used port 25. Today, SMTP should instead use port 587 — this is the port for encrypted email transmissions using SMTP Secure (SMTPS).

Port 465 is also used sometimes for SMTPS. However, this is an outdated implementation and port 587 should be used if possible. Finally, some email service providers also support SMTP on port 2525 as a backup in case these other ports are blocked by a network provider or a firewall.

What is SMTP?

SMTP is the protocol, or set of rules for formatting data, that helps emails travel across the Internet. It transfers emails from mail server to mail server until they reach their final destination. At that point, other protocols are used to retrieve the emails and allow users to read them.

(Like HTTP, SMTP is an application layer protocol that runs on top of TCP/IP.)

What is an SMTP port?

Most networking protocols (like SMTP) are designed to go to a specific port. In networking, a port is a virtual location within a computer.

A port is somewhat like a mail slot in a large building, with each mail slot belonging to a different resident within the building. Addressing mail to the entire building does not ensure delivery, as the wrong resident might receive the mail and discard it. Instead, mail has to be addressed to the specific mail slot owned by the addressee. Similarly, a computer may not know what to do with network data that does not indicate a port. But the computer can receive data directed at a specific port and pass it to the correct application or process.

An SMTP port is the port designated for use by SMTP — as stated above, this has been ports 25, 465, 587, and 2525 at various times and in various situations.

How does SMTP Secure (SMTPS) work?

SMTPS is more secure than regular SMTP because it encrypts emails, authenticates emails, and prevents data tampering. It does these three things by using the Transport Layer Security (TLS) protocol.

• Encryption: TLS encrypts data as it traverses a network. Encryption is the process of scrambling data so that only parties with the correct decryption key can unscramble and view the data. This keeps the data secure as it travels through untrusted environments like the Internet.
• Authentication: TLS uses digital signatures to ensure that network traffic comes from the place it claims to be from. Without this step, computers will accept data from impostors, attackers, or other malicious parties.
• Email integrity: Digital signatures also help ensure that data has not been tampered with.

The official default port for SMTPS is port 587. SMTPS connections start with a "STARTTLS" command to let the mail server know that the SMTP traffic will be sent over TLS.

SMTPS on port 465

In the 1990s, some email service providers began to use SMTPS with Secure Sockets Layer (SSL), which was the original version of TLS that has now been deprecated. They designated port 465 for this purpose, even though no official Internet bodies had sanctioned such use of that port. (Port usage is standardized to ensure communication is possible between diverse computers and networks.) This is why port 465 is sometimes still used for email — despite the fact that this port is nonstandard.

SMTPS vs. end-to-end email encryption

While SMTPS is more secure and private than using no encryption or authentication, it only encrypts emails as they move from sender to mail server and between mail servers. A mail server on an email's path receives the email in unencrypted form before re-encrypting it to pass it to the next server. This is like if a postal service transferred the contents of an envelope to a new envelope as it passed through each post office, leaving the envelope's contents briefly exposed.

Some email senders prefer to use end-to-end encryption (E2EE). E2EE ensures that only the sender and the recipient of an email can view it in decrypted form. It keeps email contents private from all intermediaries, including the mail servers on the email's path. This process is similar to an envelope that remains sealed until it reaches the addressee.

SMTPS does not enable E2EE. Instead, protocols like Pretty Good Privacy (PGP) or Secure/Multipurpose Internet Mail Extensions (S/MIME) can be used for E2EE. To learn more, see What is email encryption?

What ports do POP3 and IMAP use?

While SMTP sends emails, the Post Office Protocol (POP3) and Internet Message Access Protocol (IMAP) retrieve them, enabling recipients to read or download them. Much like SMTP, these protocols have both encrypted (via TLS) and unencrypted versions:

• Unencrypted IMAP uses port 143, while encrypted IMAP uses port 993
• Unencrypted POP3 uses port 110, while encrypted POP3 uses port 995

When is port 2525 used?

Some email services offer SMTP delivery over port 2525 in case the above ports are blocked. However, this port is not standard for email and is not officially associated with SMTP.

Why email ports may be blocked

Some servers do not support all versions of SMTP and the other email protocols — for instance, older services may not be configured to receive TLS-encrypted traffic at port 587. Additionally, network administrators sometimes deny access to these ports to block attack traffic and spam, or to stop users from running their own mail servers.

While blocking port 25 or other email ports may prevent some spam and phishing attacks, malicious and unwanted emails are still likely to get through. Sophisticated business email compromise (BEC) attacks, in particular, are often well-disguised within acceptable email traffic. To counteract this, Cloudflare Area 1 Email Security stops sophisticated email-based attacks by detecting threats in advance. Read more about Cloudflare Area 1 Email Security.