Port 587 is the modern mail submission port (RFC 6409). The connection starts in plain text and is upgraded to encryption with the STARTTLS command after EHLO. Almost every current provider supports 587, and it is the recommended default for apps and mail clients.
Port 465 uses implicit TLS (sometimes called SMTPS): the TLS handshake happens immediately on connect, before any SMTP commands. It was deprecated, then re-blessed by RFC 8314, and remains widely supported. Functionally 587 and 465 are equally secure when configured correctly—465 just negotiates encryption a step earlier.
Port 25 is for server-to-server relay, not authenticated submission. Most cloud providers and ISPs block outbound 25 to fight spam, so it is rarely the right choice for sending from an application. Port 2525 is a non-standard fallback that several providers (SendGrid, Mailgun, Brevo, Postmark) also accept when 587 is blocked by a network or firewall.
If you are unsure, start with 587 and STARTTLS; switch to 465 with implicit TLS if your client or provider prefers it, or to 2525 if 587 is filtered. SMTP Tester auto-selects a sensible security mode per port (465 → TLS, 25 → none, 587/2525 → STARTTLS) and shows the negotiated TLS protocol, cipher, and certificate expiry so you can confirm encryption actually succeeded.
Which port to choose
- 587 + STARTTLS — modern default for authenticated submission
- 465 + implicit TLS (SMTPS) — equally secure; encryption negotiated on connect
- 25 — server-to-server relay only; usually blocked for outbound submission
- 2525 — unofficial fallback when 587 is blocked by a firewall or ISP
- Use handshake-only mode to verify TLS without sending a message