Email Ports Explained: 25, 465, 587, and 993 — When to Use Each
Email ports 25, 465, 587, 993 — which goes where and why ISPs block port 25.
By JustEmails Platform Team
You're setting up a mail client — Thunderbird, Apple Mail, Outlook, whatever — and it asks for SMTP port and IMAP port. You've got four numbers swimming in your head: 25, 465, 587, 993. Maybe you've seen 143 and 995 too. Which one goes where?
Look, I've misconfigured this enough times (and helped enough people debug it over the years) that I can tell you exactly what each port does, when to use it, and why one of them is almost certainly blocked on your network right now. I still forget which port is STARTTLS and which is implicit TLS sometimes. It happens.
What We're Covering
By the end of this, you'll know which port to enter in every field of your mail client's account setup. You'll understand why your ISP blocks port 25, why 465 and 587 both exist for the same purpose, and why 993 is the only IMAP port you should use. Quick reference table at the end for bookmarking.
Prerequisites
Nothing technical. If you've ever set up an email account in a mail client and stared at the "port" field wondering what to type, you're in the right place.
The Four Ports You'll Actually Use
Port 25 — Server-to-Server Relay (You Won't Use This)
Port 25 is the original SMTP port, defined in RFC 821 back in 1982. It's how mail servers talk to each other. When you send an email from your Gmail to someone's Outlook, Google's servers connect to Microsoft's servers on port 25 to deliver that message.
Here's the thing: you almost certainly can't use port 25 from your computer or home network. ISPs block outbound connections to port 25 for residential and most business accounts. They've been doing this since the mid-2000s. Why? Spam. Pure and simple. If every compromised laptop could connect directly to mail servers on port 25, botnets would flood the internet with junk. Blocking port 25 at the ISP level cut down on that significantly.
(I spent an embarrassing amount of time in 2019 troubleshooting a "broken" email setup before realizing my ISP blocked port 25. The loading spinner just sat there. Nothing in the logs. Just... silence.)
When port 25 matters: Only if you're running your own mail server. Your server will accept incoming mail on port 25 from other servers. But for sending from a mail client? Never use port 25.
What happens if you try: Connection timeout. Your ISP silently drops the packets. You'll sit there watching a loading spinner until your mail client gives up.
Port 587 — Submission with STARTTLS (This Is Probably What You Want)
Port 587 is the "mail submission" port, defined in RFC 6409. It's designed specifically for mail clients sending email through a mail server. This is what you use in Thunderbird, Apple Mail, Outlook, or any other email app.
The connection process on port 587:
- Your client connects (unencrypted initially)
- Client says EHLO (extended hello)
- Server responds with its capabilities, including STARTTLS
- Client says STARTTLS
- Connection upgrades to TLS encryption
- Client authenticates with your username and password
- Email gets sent
The STARTTLS step is mandatory on any modern mail server. The brief unencrypted handshake at the start isn't a security risk — no sensitive data travels until after TLS is established.
When to use port 587: Almost always. It's the standard. When in doubt, try 587 first.
Example config:
- Server: smtp.yourdomain.com
- Port: 587
- Security: STARTTLS
- Authentication: Normal password
Port 465 — Implicit TLS (The Alternative)
Port 465 has a weird history. It was briefly assigned for "SMTPS" (SMTP over SSL) in the 1990s, then deprecated, then brought back in 2018 when RFC 8314 said "actually, implicit TLS is better than STARTTLS, use port 465." The internet standards process is messy. Always has been.
The difference from 587: implicit TLS means the connection is encrypted from the very first byte. No unencrypted handshake, no upgrade step. You connect, and you're already in TLS.
Is one more secure than the other? In practice, no. Both end up with the same encryption. The theoretical advantage of port 465 is that it's immune to downgrade attacks where a man-in-the-middle strips out the STARTTLS command. In practice, proper mail clients fail closed if STARTTLS doesn't work on 587, so this isn't a real-world concern for most people.
Honestly? I think the debate over 465 vs 587 is mostly academic. Pick whichever your provider recommends and move on with your life.
When to use port 465: When your email provider tells you to. Some providers (particularly those that emphasize security) prefer 465. JustEmails supports both — 587 with STARTTLS and 465 with implicit TLS work identically.
Example config:
- Server: smtp.yourdomain.com
- Port: 465
- Security: SSL/TLS (implicit)
- Authentication: Normal password
Port 993 — IMAP with TLS (Receiving Email)
Port 993 is IMAPS — IMAP over implicit TLS. This is how your mail client connects to download and sync your email.
There's an older port 143 for unencrypted IMAP, but you shouldn't use it in 2026. No reputable email provider supports unencrypted IMAP anymore. If you try to connect on port 143, you'll either get a connection refused or a redirect to 993.
When to use port 993: Always, for IMAP. It's the only IMAP port you need.
Example config:
- Server: imap.yourdomain.com
- Port: 993
- Security: SSL/TLS (implicit)
- Authentication: Normal password
Bonus: Port 995 — POP3 with TLS
If you're using POP3 instead of IMAP (rare these days — POP3 downloads and deletes from server, while IMAP syncs), port 995 is the encrypted version. The unencrypted port 110 is deprecated like IMAP's 143.
Who still uses POP3: Some older setups, some specific business requirements where you want email to exist only on one device, and people who've been using the same email setup since 2005 and haven't changed it. No judgment — if it works, it works.
Common Errors and Fixes
"Connection timed out" on port 25
Cause: Your ISP blocks outbound port 25. This is normal.
Fix: Switch to port 587 or 465. You're not supposed to use port 25 from a mail client anyway.
"Connection refused" on port 587 or 465
Could not connect to smtp.example.com:587
Connection refused
Cause: Either the server address is wrong, or the provider doesn't have SMTP running on that port.
Fix: Double-check the SMTP server address in your provider's documentation. Some providers use non-standard subdomains like mail.example.com or outgoing.example.com instead of smtp.example.com.
"STARTTLS not supported" or TLS handshake failures
The server does not support STARTTLS
Cause: You're trying to use STARTTLS on a port that expects implicit TLS (like 465), or your client is misconfigured.
Fix: For port 587, select "STARTTLS" in security settings. For port 465, select "SSL/TLS" (not STARTTLS). These are different modes — mixing them up causes this error.
"Certificate verification failed"
SSL: certificate verify failed
Cause: The server's TLS certificate doesn't match the hostname you're connecting to, or it's expired, or it's self-signed.
Fix: Make sure you're using the exact server hostname your provider specifies. If they say mail.example.com, don't use smtp.example.com or the bare domain. The certificate is issued for a specific name. If the cert is actually expired (check by visiting the hostname in a browser), that's a provider problem — contact their support.
IMAP "authentication failed" even with correct password
AUTHENTICATE failed
Cause: Often this is two-factor authentication. If you have 2FA enabled on your email account, you usually can't use your regular password in mail clients. You need an app-specific password. This trips up more people than any other email configuration issue, in my experience.
Fix: Generate an app password in your email provider's security settings. Google calls these "App passwords." Microsoft calls them the same. Use that instead of your regular login password. The error message doesn't exactly make this obvious, which is frustrating.
The Quick Reference Table
| Port | Protocol | Encryption | Direction | Use Case |
|---|---|---|---|---|
| 25 | SMTP | None (upgradable) | Server-to-server | Mail servers relaying to each other. Not for mail clients. |
| 465 | SMTP | Implicit TLS | Client-to-server | Sending email from apps. Modern alternative to 587. |
| 587 | SMTP | STARTTLS | Client-to-server | Sending email from apps. Most common choice. |
| 993 | IMAP | Implicit TLS | Client-to-server | Receiving/syncing email. Always use this for IMAP. |
| 995 | POP3 | Implicit TLS | Client-to-server | Downloading email (legacy protocol). |
| 143 | IMAP | None | Client-to-server | Deprecated. Don't use. |
| 110 | POP3 | None | Client-to-server | Deprecated. Don't use. |
Bookmark this table. I've looked up port numbers more times than I'd like to admit. There's no shame in it.
Real Example: Setting Up a JustEmails Account in Thunderbird
Here's what the actual fields look like when you're connecting JustEmails (or most IMAP/SMTP providers) in Thunderbird:
Incoming mail:
- Protocol: IMAP
- Server: imap.justemails.app
- Port: 993
- Connection security: SSL/TLS
- Authentication method: Normal password
- Username: your full email address
Outgoing mail:
- Server: smtp.justemails.app
- Port: 587 (or 465)
- Connection security: STARTTLS (for 587) or SSL/TLS (for 465)
- Authentication method: Normal password
- Username: your full email address
That's it. The same pattern works for Apple Mail, Outlook, any standard mail client. The server hostnames change per provider, but the port and security combinations are universal.
(Side note: I genuinely wish mail client setup wizards were better at this. Most of them ask for your email address and then guess the rest — and they guess wrong often enough that you end up in settings anyway.)
Next Steps
If you're still setting up your email infrastructure, you'll probably want to tackle DNS authentication next. SPF, DKIM, and DMARC are what keep your emails out of spam folders — they're separate from port configuration but equally important. For a deep dive on getting your logo displayed in Gmail, see our BIMI setup guide.
For those running multiple domains, check out how flat-fee email hosting compares to per-user pricing. If you're paying Google Workspace rates just for email — $84+/user/year — you're probably overpaying for features you don't need. Our Google Workspace alternatives comparison breaks down the real costs.
And if you're sending transactional emails from an app (password resets, notifications, receipts), you'll need to decide between SMTP relay and API-based sending. Both use the ports above — SMTP relay goes through 587 or 465, while API calls bypass SMTP entirely. For server-side sending (cron jobs, alerts), see how to set up SMTP relay for server alerts.
Frequently Asked Questions
Which port should I use for sending email in a mail client?
Use port 587 with STARTTLS for most mail clients. It's the standard submission port and works with nearly every email provider. Port 465 with implicit TLS is the alternative — some providers prefer it. Never use port 25 from a mail client; ISPs block it and it's meant for server-to-server relay only.
Why is port 25 blocked by my ISP?
ISPs block outbound port 25 to residential and business connections to prevent spam. Port 25 is the server-to-server relay port, and open access to it from consumer networks would let compromised machines send spam directly. This has been standard practice since the mid-2000s. Use port 587 or 465 instead.
What's the difference between port 465 and port 587?
Port 587 uses STARTTLS — the connection starts unencrypted and upgrades to TLS after a handshake. Port 465 uses implicit TLS — the connection is encrypted from the first byte. Both are secure. Port 587 is the official standard (RFC 6409), but port 465 was recently re-legitimized (RFC 8314) and some providers prefer it.
Which port do I use for receiving email (IMAP)?
Port 993 with implicit TLS (IMAPS). This is the only IMAP port you should use in 2026. The old unencrypted port 143 still exists but no reputable provider supports it anymore. For POP3 users (rare these days), port 995 with TLS is the equivalent.
Try JustEmails
Unlimited custom domain email hosting for $49/year flat — unlimited domains, unlimited mailboxes, 10 GB storage, full IMAP/SMTP. Built for agencies, freelancers, and anyone managing email across more than one domain.