SMTP Ports Explained: When to Use 25, 465, 587, and 2525

Pick the wrong SMTP port and your email just won't send. It's one of those configuration details that seems minor until it isn't — and when it breaks, the error messages are rarely helpful. "Connection refused" or "timeout" doesn't tell you whether you've got the wrong port, the wrong encryption type, or a firewall blocking the connection entirely.
This guide covers the four SMTP ports you'll encounter — 25, 465, 587, and 2525 — what each one is actually for, and how to choose the right one for your situation.
What SMTP Ports Are and Why They Matter
SMTP (Simple Mail Transfer Protocol) is the protocol email servers use to send messages. Ports are numbered doors that tell your client or server where to connect. Each port number has a defined purpose, and mail servers and ISPs treat them differently. Using the wrong port doesn't just fail — it can silently route your email through less secure channels or get it dropped by a firewall before it ever reaches the server.
Port 25: The Original SMTP Port
Port 25 is the original SMTP port, specified in the 1982 standard. It's still widely used — but almost exclusively for server-to-server email delivery, meaning the communication between mail servers when one hands off a message to another.
The problem is spam. Spammers historically abused port 25 to flood the internet with junk mail, so most residential ISPs and cloud providers now block outbound connections on port 25 by default. If you're on a VPS or shared host and your outbound email on port 25 is silently failing, this is almost certainly why.
You should not use port 25 for client-to-server submissions — that is, when your email client or application is submitting mail to your SMTP relay. It's not the right tool for that job, and many servers will reject it even if the port is technically reachable.
Port 465: Implicit TLS Submission
Port 465 was originally assigned for SMTP over SSL, where the connection is encrypted from the start using implicit TLS — no negotiation, just encrypted from the first byte. It was deprecated in 1998 when STARTTLS was standardized on port 587, but it has come back into broad use because STARTTLS has weaknesses in practice, including downgrade attacks and opportunistic fallback to unencrypted connections.
Today, port 465 with implicit TLS is widely supported and considered the more secure option for client submission on providers that offer it. If your SMTP relay supports port 465, use it — the connection is encrypted immediately with no window for an attacker to interfere with the TLS upgrade process.
Check your provider's documentation to confirm whether they support port 465 and which TLS version is required.
Port 587: The Standard Submission Port
Port 587 is the standard port for email client submission. It uses STARTTLS, where the connection starts unencrypted and then upgrades to TLS before any credentials or message content are transmitted. This is what you should configure in email clients like Outlook or Thunderbird when setting up a business email account.
Port 587 is not blocked by most ISPs the way port 25 is, making it reliable across different network environments. The vast majority of business email hosts — including MailDog's SMTP relay — support port 587 as the primary submission port.
When you're configuring an application, transactional email pipeline, or email API, port 587 with STARTTLS and SMTP AUTH is almost always the right combination. For a deeper look at how STARTTLS works in transit and where it can fall short, see our guide to STARTTLS and DANE.
Port 2525: The Fallback Port
Port 2525 isn't part of any official standard. It's an unofficial alternative to port 587 that some providers offer specifically because certain networks, corporate firewalls, or ISPs block port 587 along with port 25.
You'll typically only need port 2525 if 587 isn't working and you've confirmed the issue is a network block rather than a configuration mistake. Most providers that offer it use the same STARTTLS and AUTH requirements as port 587 — it's effectively the same behavior on a different door number.
Don't make 2525 your first choice. Use 587, and fall back to 2525 only when you're stuck behind a restrictive network that leaves you no other option.
Choosing the Right Port: Quick Reference
- Server-to-server delivery (MTA to MTA): Port 25
- Client email submission (standard): Port 587 with STARTTLS
- Client email submission (more secure, immediate TLS): Port 465 with SSL/TLS
- Client submission on restrictive networks: Port 2525 with STARTTLS
What to Do When Your SMTP Port Is Blocked
If you're on a cloud server and port 25 is blocked, check your provider's policy first. AWS, Google Cloud, and Azure all block outbound port 25 by default. You can request an unblock for production mail servers, but it typically involves demonstrating legitimate use through a formal request process.
For applications sending via an SMTP relay, don't try to fight the block — just use port 587 or 465. That's what they're designed for. If port 587 is also blocked, which is common on some enterprise networks, try 2525.
If connections are timing out on all ports, the issue is more likely a firewall rule than a port assignment. Check your server's security group or firewall to ensure outbound TCP is permitted on the port you're targeting.
Encryption Is Not Optional
Regardless of which SMTP port you use, make sure encryption is actually enabled. Sending email credentials or message content over an unencrypted connection is a genuine risk. For client submissions on ports 587 or 465, require TLS — don't leave it set to "if available."
If you're evaluating SMTP relay options for your application or business, MailDog's SMTP service supports both 587 and 465 with full TLS enforcement. See our pricing for options that fit different sending volumes.


