Concepts & troubleshooting

SMTP port 587 vs 465 — STARTTLS or implicit TLS?

SMTP port 587 (STARTTLS) vs 465 (implicit TLS/SMTPS) vs 25 and 2525. Which submission port to use, how encryption differs, and what to do when a port is blocked.

5 min read Credentials redacted No signup

Choosing the right SMTP port determines how encryption is negotiated between your client and the mail server. The four ports you will encounter — 25, 465, 587, and 2525 — each have a specific role and encryption behavior.

SMTP test port 587 — the modern submission standard

Port 587 is defined by RFC 6409 as the mail submission port. The connection starts in plain text, and the client upgrades it to TLS by sending the STARTTLS command after EHLO. Once the server responds 220 Ready to start TLS, both sides negotiate a TLS handshake and all subsequent data (including AUTH credentials) is encrypted.

Key facts:

SMTP test port 465 — implicit TLS (SMTPS)

Port 465 uses implicit TLS: the TLS handshake begins immediately when the TCP connection is established, before any SMTP commands are exchanged. The client connects, negotiates TLS, and only then sends EHLO.

Key facts:

Test SMTP port 25 — server-to-server relay

Port 25 is the original SMTP port, now used primarily for server-to-server (MX) relay — one mail server delivering to another. It is not intended for authenticated submission from applications or end users.

Key facts:

Port 2525 — unofficial fallback

Port 2525 is not registered with IANA, but many transactional email providers (SendGrid, Mailgun, Brevo, Postmark, Mailjet) listen on it as a fallback when port 587 is blocked. It uses STARTTLS, exactly like 587 — the only difference is the port number.

Use 2525 when:

Comparison table

Port Encryption Use case Blocked by default?
587 STARTTLS (upgrade after EHLO) Authenticated submission from apps Rarely
465 Implicit TLS (on connect) Authenticated submission (legacy/RFC 8314) Rarely
25 Optional STARTTLS (relay) Server-to-server relay Often (cloud/ISP)
2525 STARTTLS (same as 587) Fallback when 587 blocked Rarely

How SMTP Tester handles ports

SMTP Tester auto-selects a security mode when you change the port:

You can override this manually. If the security mode does not match what the server expects, you will see either a connection timeout (wrong mode on 465) or a STARTTLS command used when not advertised error.

After a successful connection, the TLS diagnostics panel shows the negotiated protocol version (TLS 1.2, 1.3), cipher suite, certificate subject, issuer, and days until expiry — so you can confirm encryption actually occurred without needing openssl s_client.

What to do when a port is blocked

Symptoms of a blocked port:

Steps to resolve:

  1. Try port 465 if 587 times out (or vice versa).
  2. Try port 2525 — widely supported by transactional providers.
  3. Check outbound firewall rules on your network or cloud instance.
  4. Ask your hosting provider if they block outbound SMTP ports.
  5. If you run your own MTA, verify the listener is bound to the public interface and the port is open in iptables/ufw/security groups.

STARTTLS vs implicit TLS — which is more secure?

Both are equally secure once the TLS handshake completes. The security of the connection depends on the TLS version and cipher negotiated, not on whether encryption was initiated before or after EHLO.

The historical concern with STARTTLS was downgrade attacks: a network attacker could strip the STARTTLS advertisement from the EHLO response, causing the client to send credentials in the clear. Modern clients mitigate this by enforcing STARTTLS (refusing to proceed without it) — which is what SMTP Tester does when security is set to STARTTLS rather than "none."

Implicit TLS (465) avoids this concern entirely because encryption is non-optional — if TLS fails, the connection fails. This makes 465 slightly simpler from a security perspective, but in practice both are fine for authenticated submission with a modern client.

Quick decision guide

Try it on your own server

Run these settings against your SMTP server and watch the live, credential-redacted protocol transcript.

Open SMTP Tester