Skip to content
← All articles

Email Ports Explained: 25, 465, 587, 110, 143, 993, 995

To send mail, an email client should use port 587 with STARTTLS or port 465 with implicit TLS — these are submission ports. Port 25 is meant for server-to-server relay and is often blocked by ISPs. To receive mail, use IMAP (993 with SSL or 143) and POP3 (995 with SSL or 110).

This guide explains what each email port does, the difference between STARTTLS and implicit TLS, why hosts and ISPs block port 25, which port to enter in your mail client, and how to test whether a given port is open on a server.

What email ports are and why they matter

An email port is the number over which a mail client or server opens a TCP connection to another server to move messages. Each stage of delivery — server-to-server relay, submission of a message from a client, and mail retrieval — has its own standard ports assigned to the SMTP, POP3, and IMAP protocols.

Choosing the right port affects not only whether mail works but also its security: whether the connection is encrypted and when TLS is established determines how well your login, password, and message contents are protected against interception.

SMTP ports: 25, 587, 465

SMTP (Simple Mail Transfer Protocol) handles sending. It has three historically established ports, and confusing them is one of the most common reasons mail fails to send.

Port 25 — server-to-server relay (MTA-to-MTA)

Port 25 is the original SMTP port, meant for transferring mail between mail servers (MTAs). When the sender's server delivers a message to the recipient's server, it connects to the recipient's port 25. Using it to send mail from an email client is discouraged and often impossible.

Port 587 is defined in RFC 6409 as the message submission port — this is how an email client hands a message to the provider's server. The connection starts in cleartext and is upgraded to encrypted via the STARTTLS command. It requires authentication (SMTP AUTH). This is the recommended port for configuring outgoing mail in most modern clients.

Port 465 — SMTPS with implicit TLS

Port 465 uses implicit TLS: encryption is established immediately on connect, before any SMTP commands. For years it was considered deprecated, but RFC 8314 (2018) rehabilitated it and recommends implicit TLS for submission. Today both 465 and 587 are valid choices; which to use depends on provider support.

Retrieval ports: POP3 and IMAP

Two protocols are used to receive mail. POP3 downloads messages to a device and usually deletes them from the server, while IMAP synchronizes mailbox state across all devices and keeps messages on the server.

POP3 — ports 110 and 995

Port 110 is POP3 without encryption (or with STARTTLS). Port 995 is POP3 over implicit TLS (POP3S), the secure variant. For any modern mailbox you should use 995.

IMAP — ports 143 and 993

Port 143 is IMAP without encryption (or with STARTTLS). Port 993 is IMAP over implicit TLS (IMAPS). Port 993 is preferred because it encrypts the connection from the first second and is recommended by RFC 8314.

Email ports table

PortProtocolEncryptionPurpose
25SMTPUsually none (or STARTTLS)Relay between mail servers (MTA-to-MTA)
587SMTP (submission)STARTTLSClient sends message to server (recommended)
465SMTPSImplicit TLSClient sends message (implicit TLS)
110POP3None (or STARTTLS)Retrieval, downloads to device
995POP3SImplicit TLSSecure POP3 retrieval
143IMAPNone (or STARTTLS)Retrieval with server-side sync
993IMAPSImplicit TLSSecure IMAP retrieval

STARTTLS versus implicit TLS

The difference between the two encryption models is fundamental. With STARTTLS (ports 587, 143, 110) the connection opens in cleartext, then the client issues the STARTTLS command to switch it to TLS. With implicit TLS (ports 465, 993, 995) encryption is enabled immediately when the TCP connection is established.

Implicit TLS is considered more resilient against downgrade attacks, where an attacker strips the STARTTLS command and forces the connection to stay in cleartext. That is why RFC 8314 recommends preferring implicit TLS for new configurations: 465 for sending, 993 for IMAP, 995 for POP3.

Key rule: STARTTLS without enforced verification can be stripped by an attacker. If your provider supports implicit TLS (465/993/995), choose it.

Why port 25 is blocked by ISPs and hosts

Many internet service providers and cloud hosts block outbound connections to port 25. The reason is historical: infected computers sent spam en masse directly through port 25, bypassing controls. Blocking port 25 on client networks sharply reduced spam volume.

Practical consequences:

  • Home internet usually won't let you connect to an external port 25 — send mail through your provider's 587 or 465.
  • Cloud providers (AWS, Google Cloud, many VPS hosts) close port 25 by default and open it only on request with justification.
  • If you run your own mail server, port 25 is needed to receive inbound mail from other servers — blocking it inbound is different from blocking it outbound.

If mail won't send and the logs show a timeout on port 25, the ISP is almost certainly blocking outbound connections. Switch to a submission port.

Which port to choose in your email client

When configuring an email client (Outlook, Thunderbird, Apple Mail, mobile apps), follow a simple scheme:

  1. Outgoing mail (SMTP): port 587 with STARTTLS or port 465 with SSL/TLS. Always enable username-and-password authentication.
  2. Incoming mail, IMAP: port 993 with SSL/TLS (preferred). Port 143 only if 993 is unavailable.
  3. Incoming mail, POP3: port 995 with SSL/TLS. Port 110 only as a fallback.

Always confirm the exact values in your provider's documentation — some services support only one of the submission ports. Never use port 25 in client settings.

How to check whether a port is open

Before troubleshooting client settings, it helps to confirm the port is reachable at all and that a mail server with correct TLS is actually listening on it.

Test the TLS handshake on a submission port (STARTTLS):

openssl s_client -connect smtp.example.com:587 -starttls smtp

Test implicit TLS on port 465 or IMAPS 993:

openssl s_client -connect smtp.example.com:465
openssl s_client -connect imap.example.com:993

Quickly check whether a TCP port is open without a TLS handshake:

# via telnet
telnet smtp.example.com 587

# or via netcat (quieter, better for scripts)
nc -vz smtp.example.com 587

If the connection hangs or times out, the port is blocked by a firewall or the ISP. If openssl shows the certificate chain and a line with the TLS version, the server is configured correctly.

Don't want to work in the command line? Use our port availability checker — enter a host and port number and it reports reachability in a couple of seconds, including from multiple regions.

Setting up email goes beyond ports. For messages to arrive and stay out of spam, you need correct DNS records and server monitoring:

Frequently Asked Questions

Which port should I use to send mail — 587 or 465?

Both ports are correct and secure. Port 587 works over STARTTLS and is defined by the submission standard (RFC 6409). Port 465 uses implicit TLS and is recommended by RFC 8314 as more resistant to downgrade attacks. If your provider supports 465, choose it; if not, use 587.

Why won't my mail send over port 25?

Most ISPs and cloud hosts block outbound connections to port 25 to fight spam. Port 25 is meant for relaying mail between servers, not for sending from a client. To send messages, use submission port 587 or 465 with authentication enabled.

What's the difference between POP3 and IMAP?

POP3 (ports 110/995) downloads messages to a single device and usually deletes them from the server — good for one computer. IMAP (ports 143/993) keeps messages on the server and syncs state across all devices. For using mail on several devices, choose IMAP.

Which is safer — STARTTLS or SSL/TLS?

Implicit TLS (SSL/TLS on ports 465, 993, 995) is more robust because encryption is enabled the moment you connect. STARTTLS opens the connection in cleartext, and an attacker could in theory strip the command that switches to TLS. When you have a choice, prefer implicit TLS.

How do I find out which ports are open on my mail server?

Use nc -vz host port or telnet host port to check TCP reachability, and openssl s_client to verify TLS. Or use the online port checker on enterno.io, entering the host and ports 25, 465, 587, 993, and 995.

Do I need to open port 25 on my own server?

Yes, if your server receives inbound mail from other servers — they connect to your MTA's port 25. Blocking port 25 inbound makes the domain unable to receive mail. Blocking it outbound (at the ISP) is a separate matter and affects only clients' outgoing connections.

Can I use one port for both sending and receiving?

No. Sending uses SMTP submission ports (587 or 465), while receiving uses IMAP (993/143) or POP3 (995/110). They are different protocols on different ports, so your client always needs at least one outgoing and one incoming port configured separately.

Sources

Check your website right now

Check your site →
More articles: Networking
Networking
IP Geolocation Accuracy: How It Works and Where It Fails
11.03.2026 · 360 views
Networking
TSPU, DPI and Traffic Throttling: How It Works and How to Check
13.07.2026 · 26 views
Networking
Best Online Port Scanners 2026
15.06.2026 · 95 views
Networking
Traceroute: How to Read the Output and Find Problems
13.07.2026 · 31 views