This is a pretty common question that comes up when sending email, but to fully answer this question we need a little bit of background information.
What is SMTP?
SMTP stands for Simple Mail Transfer Protocol and is basically “the way” to send email over the internet. It was initially proposed in August of 1982 in RFC 821. You can find a more detailed explanation on our blog here.
How are ports and services managed on the internet?
There are two governing bodies that oversee certain technologies and assignments.
First, the Internet Assigned Number Authority (IANA) is responsible for 3 primary concerns of internet regulation: domain names, number resources, and protocol assignments. It also maintains a list of service protocols and ports, which is particularly important for our research today. Anyone can register a new service as long as the port is still open, however, this registration with IANA does not in any way guarantee that the traffic to/from this port is “good” traffic.
Second, the Internet Engineering Task Force (IETF) publishes standards that are used to make the internet run better. The IEFT uses RFCs (Request for Comments) to propose new changes or improvements.
For the purpose of our research, we are mainly interested in the RFCs around SMTP, ports 465 and 587.
What are TLS and StartTLS?
Finally, let’s go over a little technical verbiage: TLS (Transport Layer Security) and StartTLS.
TLS is referred to as Implicit TLS, meaning that the initial connection is started with a Secure Socket Layer (SSL) or Transport Layer Security (TLS) certificate. This requires a little bit more work for the client, but is a valid approach since the connection is encrypted from the start.
StartTLS is the protocol command that begins the conversation in plaintext, and if possible, upgrades to TLS. This is the preferred method as one port can handle both plaintext and TLS.
Port 465: Message submission over TLS protocol
Tl;dr Port 465 is used for implicit TLS, however, port 587 and startTLS are preferred.
Port 465 has an interesting history. In early 1997, the proposal for a new standard to submit SMTP messages with encryption was published. To that end, port 465 was registered with the IANA with the service description of smtps. However, because this was only registered via IANA and not submitted as an RFC to the IETF, it was never fully blessed as an encrypted port for SMTP. During the same year, the IETF standardized StartTLS on port 587 as the encryption protocol for SMTP message submission.
In an effort to simplify the process of encrypting SMTP messages, port 465 and smtps, were removed from the IANA registry. This led to a reasonable amount of confusion as port 465 and implicit TLS had gained a good amount of traction. To remedy this, the IETF issued a one-time amendment to reinstate port 465 for message submission over TLS protocol.
Today, port 465 is still listed on the IANA registry as the service port for message submission and URL Rendezvous Directory for SSM, URD for short. However, both of these services listed for port 465 adds to the confusion around the port, because URD has nothing to do with SMTP.
Port 587: Message submission
Tl;dr Port 587 is the default port for SMTP message submission.
Port 587 has always been the default port for message submission. The confusion around port 465 and port 587 stems back to 1997 when a standard for encrypted transit was being discussed. Ultimately, StartTLS was the protocol chosen. This enables a user to send with plaintext, or upgrade their connection to TLS using the same port. For this reason, this is the preferred approach.
Bonus, what is port 2525?
Often during the port 465 vs. 587 question, we see a lot of references to port 2525. What is this port, and what is it used for? Fortunately for us, this is a pretty quick and easy answer. A lot of ISPs will block port 25 in an effort to prevent home enthusiasts from running their own mail servers. In an effort to alleviate the issue around this blockage, many ESPs support port 2525 as an alternative.
Which should I use?
Tl;dr Use port 587 if you can, 465 if you can’t, 25 if you must.
Port 587 is technically correct, the best kind of correct. However, many ESPs have adopted implicit TLS on port 465. While you can send email over port 25 and 2525, it’s much more secure to have the messages encrypted. This makes port 587 the preferred option for sending, with port 465 as a close second.