The SMTP protocol uses multiple ports for email delivery. This article discusses each port's differences, rationale, and use cases. It discusses five different use cases related to email delivery and explains the best port to use in each scenario.
This article assumes you are familiar with:
The answer to this question has more to do with history than technology. If the SMTP protocol were redesigned, it would probably use just one port that can accommodate every scenario. The protocol was introduced in the 1980s, and only port 25 was used for communication. Those were the days when folks trusted each other. Later, features like authentication and encryption were introduced, which resulted in the addition of more ports. Port 465 was introduced to handle encryption, while port 587 was introduced for authentication.
Today, even port 25 can be encrypted and optionally authenticated, confusing novice administrators when deciding on the correct value. This article addresses multiple use cases to tackle this problem by discussing them one at a time.
The following table summarizes some key differences between each port regarding encryption and authentication.
Port | Encryption | Authentication |
---|---|---|
25 | Communication is initially started without encryption but quickly switched to encryption using the STARTTLS option. Sensitive data, including authentication, email addresses as well as actual message is transferred with encryption. | Although you can configure port 25 to accept authentication after encryption is established, many administrators do not allow authentication on this port. |
587 | SMTP authentication is availble and expected on these ports. | |
465 | Communication is encrypted from the beginning. |
The following image visually displays the rationale for every use case. Each case is numbered and later discussed below.
Servers on the Internet will always send emails to port 25. You cannot receive inbound emails for your domain on any other port. This also assumes you're running your email server on a network with a static IP address. Click here if you do not have a static IP.
Users, devices, and application servers within your LAN need to send emails to your corporate email server, which is also running on-premise and will relay messages to their final destination.
Although encryption is less crucial because the email client and server are within a trusted environment, many organizations prefer encryption for added security or compliance.
This is similar to use case# 2, but the employee connects remotely over the Internet. In this case, encryption is essential.
Port 465 is preferred. You can use port 587, provided the email client is configured to enforce STARTTLS. Clients such as MS Outlook will warn users if encryption cannot be used on port 587.
Using 465 enforces encryption, and emails cannot be delivered if there is a communication problem between an email client and server, forcing the administrators to figure out what is wrong with SSL.
Some email servers, such as Xeams, can warn administrators if a client connects to the server without encryption.
Your corporate email server will deliver the emails received from users, devices, and applications (use cases 2 and 3) to their final destination. Before sending the message, your server will perform an MX lookup against the recipient's domain to determine the destination server's hostname/IP address.
In this case, you use Microsoft Exchange Online or Google Workspace as your primary email system. However, you have an on-premise SMTP server, such as Xeams, that accepts emails from in-house users, devices, and applications. A few benefits of running an on-premise server are:
There are two methods to relay outbound emails through Microsoft or Google from your local SMTP server.
Method 1 - Direct
In this case, your server will send emails directly to the destination server. Messages destined
for in-house recipients will go to Microsoft/Google. The following must be true for this method to work:
The communication will occur on port 25, and STARTTLS will be used for encryption. SMTP authentication is not needed.
Method 2 - Relaying
In this case, your on-premise SMTP server will send every outbound email to Microsoft/Google,
which will then deliver it to the final destination. You will configure your on-premise server to use OAuth 2.0,
which is now required by both providers.
The following conditions must be met for this to work:
The communication will occur on port 587, and STARTTLS will be used for encryption. OAuth 2.0 will be used for authenticating users.
In this case, your service provider will dictate the ports, encryption protocol, and authentication method you can use.
You can configure your devices to connect directly to the service provider or send messages to your on-premise server, as mentioned for use case# 2, which will then be sent to the service provider.
This method is a good choice if you do not have a static IP address or if your ISP blocks outbound ports.
In short, use the following points as a rule of thumb when deciding which ports to use for SMTP.