Email uses a handful of TCP ports for different functions — 25 for server-to-server delivery, 587 for user submission, 465 for implicit-TLS submission, 993 for IMAP over TLS, 995 for POP3 over TLS. This article explains every email port UK businesses encounter, what each is for, which to use when configuring clients and firewalls, and how the choice affects security.
| Port | Protocol | Encryption | Use | Status |
|---|---|---|---|---|
| 25 | SMTP | STARTTLS (opportunistic) | Server-to-server delivery | Current |
| 587 | SMTP submission | STARTTLS required | User to outbound server | Current |
| 465 | SMTPS | Implicit TLS | User to outbound server (modern) | Current (revived) |
| 143 | IMAP | STARTTLS or plain | Mailbox access | Current but prefer 993 |
| 993 | IMAPS | Implicit TLS | Mailbox access (preferred) | Current |
| 110 | POP3 | STLS or plain | Mailbox download | Current but prefer 995 |
| 995 | POP3S | Implicit TLS | Mailbox download (preferred) | Current |
| 2525 | SMTP alternative | Varies | Alternative submission (non-standard) | Some providers |
The original SMTP port, defined in RFC 5321. Used for mail moving between MTAs — for example, Gmail's outbound server connecting to your UK firm's MX to deliver a message.
Key properties:
For UK businesses: port 25 is what your MX record points at, and what other servers use to deliver mail to you. Your outbound mail server uses port 25 to deliver to other servers' MX hosts. Your users should never connect to port 25 directly for submission.
Defined in RFC 6409. Used by end-user mail clients (desktop Outlook, Apple Mail, Thunderbird, mobile apps) to submit outbound mail to their own organisation's outbound server. Key properties:
For UK deployments: port 587 is the traditional "user submission" port. Some organisations prefer 465; most now offer both.
Port 465 has a convoluted history. Originally allocated for "SMTPS" in the late 1990s, it was deprecated shortly after, and port 587 became the preferred submission port. But RFC 8314 (2018) rehabilitated port 465 for "Implicit TLS" submission. Key properties:
For UK deployments: port 465 is the modern preferred submission port. If your server supports both 465 and 587, configure clients to prefer 465.
The original IMAP port (RFC 9051). IMAP (Internet Message Access Protocol) lets clients connect to a server and access messages stored there. Port 143 supports:
For 2026 deployments, port 143 should either require STARTTLS before accepting authentication or (preferably) be retired in favour of port 993.
IMAPS (IMAP over TLS). TLS begins immediately on connection. No plaintext phase. Universally supported by modern clients.
Key properties:
The original POP3 port. POP3 is an older mailbox access protocol — clients typically download messages and remove them from the server, though "leave on server" options exist. Port 110 supports plaintext POP3 and POP3 with STLS (the POP3 equivalent of STARTTLS).
POP3 is declining in UK business use. IMAP is more common because it supports multi-device synchronisation. POP3 remains in some legacy deployments and for specific use cases (archive retrieval, one-way collection).
POP3S. Implicit TLS from connection. The preferred POP3 port.
| Purpose | Preferred port | Fallback |
|---|---|---|
| Inbound MX delivery | 25 | No alternative |
| Outbound MX delivery (your server connecting to others) | 25 | No alternative |
| User submission (mobile mail app) | 465 (implicit TLS) | 587 (STARTTLS) |
| User submission (desktop client) | 465 (implicit TLS) | 587 (STARTTLS) |
| Mailbox access (primary, multi-device) | 993 IMAPS | 143 + STARTTLS |
| Mailbox access (download-only) | 995 POP3S | 110 + STLS |
| Authenticated relay (server forwarding through another) | 465 or 587 | Depends on relay config |
Firewall rules to open for UK business mail:
Residential ISPs commonly block outbound port 25 at the edge of their network. This is intentional and useful — it prevents infected home computers from being turned into spam relays. UK consumers connecting to a work mail server should use port 465 or 587, not 25.
Cloud provider egress: AWS, Azure, Google Cloud all restrict outbound port 25 by default on customer VMs. Mail servers deployed in cloud infrastructure must typically request an exemption or use a managed relay.
UK mail providers' typical port configuration:
| Provider | Submission ports | Access ports |
|---|---|---|
| SmartXHosting email (Axigen) | 465, 587 | 993, 995 |
| Microsoft 365 | 587 | 993, 995 |
| Google Workspace | 465, 587 | 993, 995 |
| Fastmail | 465 | 993, 995 |
| Proton Mail (via Bridge) | Bridge local | Bridge local |
UK organisations still running legacy configurations (plain port 143 IMAP, port 25 user submission, RFC 5321 era plaintext POP3) should migrate. The path:
The migration is rarely disruptive for UK businesses — modern clients auto-configure for TLS. Legacy devices (20-year-old Outlook installations, niche mail appliances) may need manual reconfiguration.
Common diagnostic commands:
# Test plaintext SMTP on port 25
openssl s_client -connect mail.firm.co.uk:25 -starttls smtp
# Test implicit TLS on port 465
openssl s_client -connect mail.firm.co.uk:465
# Test STARTTLS submission on port 587
openssl s_client -connect mail.firm.co.uk:587 -starttls smtp
# Test IMAPS on port 993
openssl s_client -connect mail.firm.co.uk:993
# Check which ports are listening
nc -zv mail.firm.co.uk 25 465 587 993 995
Output shows TLS version, cipher, certificate details. A successful connection on every expected port is the sign of a well-configured mail server.
UK mail providers increasingly run dual-stack infrastructure. IPv6 support on every email port is expected for new deployments. Ensure firewall and TLS configuration work identically on IPv4 and IPv6.
Known UK gotcha: some residential ISPs have patchy IPv6 deployment, and mail clients on those networks may silently prefer IPv4 even when IPv6 is enabled. Test both explicitly during rollouts.
Q: Should I still offer port 25 submission for legacy clients?
A: No. Port 25 is for server-to-server delivery only. Any client still configured for port 25 submission is legacy and should be migrated to 465 or 587.
Q: Why do some providers block outbound port 25?
A: To prevent spam and abuse from compromised end-user devices. Only dedicated mail servers need outbound 25; blocking it on end-user networks is a mild but effective anti-abuse measure.
Q: Can port 587 coexist with port 465?
A: Yes. Most modern UK mail servers offer both; clients choose. Port 465 is preferred for new configurations but 587 is universally supported.
Q: Does IMAP on port 143 (with STARTTLS) have any security advantage over 993?
A: No. They are functionally equivalent when both use TLS. Port 993 is preferred because it has no plaintext phase at connection setup.
Q: Should I configure my mail server to accept IMAP on port 143 at all?
A: Only if legacy clients require it. For new deployments, offering only 993 is fine — every modern client supports it.
Q: Are POP3 and IMAP interchangeable for clients?
A: No. POP3 downloads and typically removes messages; IMAP synchronises. Most modern UK users want IMAP for multi-device consistency. POP3 is acceptable for single-device archival clients.
Q: What is port 2525 for?
A: Non-standard alternative submission port used by some providers when 25/465/587 are blocked at the network. SendGrid and Mailgun both offer it. Useful as a fallback in restrictive environments.
Q: Do I need to configure a firewall rule for each port separately?
A: Yes. Only open ports that are actually in use. Closing unused ports reduces attack surface.
Q: Can a single server handle all email ports?
A: Yes, and this is common for small and mid-size UK deployments. Large deployments sometimes separate submission (465/587) from delivery (25) onto different hosts for operational reasons.
Q: Does TLS version matter more on some ports than others?
A: No. TLS 1.2+ is the recommended minimum on every port. Modern configurations support TLS 1.3 across all ports.
Q: What happens if I try to send mail on port 25 from my laptop on a UK home broadband connection?
A: The connection will usually fail — your ISP blocks outbound port 25. Use port 465 or 587 to reach your mail server instead.
Q: Are there UK-specific regulations around email ports?
A: No port-specific regulation. NCSC guidance requires TLS 1.2+ on all submission and access ports, which in practice means using 465, 587, 993, 995 rather than their plaintext counterparts.
Q: Can I run email on non-standard ports for obscurity?
A: Technically yes, but strongly discouraged for inbound MX. Other servers only know to deliver to port 25 for your MX host. For submission and access you can use non-standard ports, but interop with standard mail clients is lost.
Q: If I use Microsoft 365 or Google Workspace, do I need to worry about ports at all?
A: Only for client configuration — point mail apps at the provider's documented submission and access ports (typically 465+587 for submission, 993 for IMAP). The backend infrastructure is managed by the provider.
Q: What ports does MX-to-MX traffic use if the remote side blocks port 25?
A: There is no fallback for MX-to-MX. If port 25 is unreachable, the mail fails to deliver. This is why outbound port 25 blocks on cloud and residential networks are incompatible with running a mail server there — you need an unrestricted network or a managed relay.
Q: Can I run IMAP on a non-standard port for additional security?
A: Obscurity by port is not real security. Modern IMAPS on 993 with TLS 1.3 and strong authentication is already secure. Moving to a non-standard port adds operational complexity without material security benefit.
Q: Should I block outbound port 25 from non-mail-server machines on my corporate network?
A: Yes — it is a standard security measure. Only dedicated mail servers need outbound 25. Block it for everything else to prevent compromised machines from being used as spam relays.
Q: Is submission on port 2525 secure?
A: Provider-dependent. SendGrid and Mailgun offer it with the same TLS and authentication as standard ports. Confirm with the specific provider.
Q: Do email ports differ between providers for Business Email vs Private Email plans?
A: Usually not — SmartXHosting Business Email, Private Email and Public Administration Email all use the same submission and access ports. Check the provider's documentation for exceptions.
Q: Why is port 25 still plaintext by default in 2026?
A: Backward compatibility with the long tail of older servers. Even receivers that accept STARTTLS on port 25 cannot require it because some legacy senders still cannot negotiate TLS. MTA-STS and DANE let the receiver declare TLS mandatory for modern senders without breaking legacy traffic.
Q: How do port choices affect email deliverability?
A: For user submission, port choice is invisible to the recipient — the mail just gets out. For MX-to-MX, all receivers use port 25, so there is no variation. The real deliverability impacts are authentication (SPF, DKIM, DMARC) and reputation.
Q: Is there any scenario where I should enable plaintext IMAP on port 143?
A: Practically none in 2026. Every modern client supports IMAPS on 993. Leaving 143 open adds attack surface without practical user benefit.
Q: How does port management interact with PCI DSS compliance?
A: PCI DSS 4.0 requires that authentication and cardholder data traverse TLS 1.2+. In email terms, this means submission must use 465 or 587 with TLS, access must use 993 or 995, and any plaintext alternative must be disabled. Auditors check port configuration as part of scope review.
Q: Can a single hostname offer both STARTTLS and implicit TLS on the same port?
A: No — each port has one mode. Port 25 uses STARTTLS (implicit TLS is not supported). Port 465 uses implicit TLS only (STARTTLS is not used). Port 587 uses STARTTLS. The ports encode the mode.
Q: Does outbound mail from my UK business usually leave on port 25 or 465/587?
A: Your mail server sends outbound via port 25 to the recipient's MX host. Your users submit outbound via 465 or 587 to your mail server. Two different hops with different port conventions.
Q: Is there a best port for high-availability mail clusters?
A: All ports support HA the same way — via load balancers or DNS. No port-specific HA concern.
Q: My client supports both 465 and 587 — how does it pick?
A: Most modern mail apps try 465 first (implicit TLS, simpler) and fall back to 587 if 465 is unreachable. Auto-configuration scripts from providers usually configure both.
Q: Does the choice between 465 and 587 affect mail delivery speed?
A: Imperceptibly. The difference is the initial connection setup — implicit TLS saves one round-trip. For a user submitting mail to their own server, this is milliseconds. Not worth choosing a port based on performance.
Q: Are there UK legal requirements around which ports to use?
A: Not directly. Regulations specify encryption (TLS 1.2+), not specific ports. But in practice, using modern TLS ports (465, 587, 993, 995) is how you achieve regulatory compliance. Avoiding plaintext ports (143, 110 without STLS) is required.