Email protocols clarified: a modern look at SMTP, IMAP, and JMAP
When configuring an email server, opening the firewall or troubleshooting delivery issues, knowledge about which ports do what is essential. This guide explains the key ports for sending and retrieving email, covers both encrypted and unencrypted traffic, and clarifies how service roles have shifted over the years.
SMTP: the backbone of email delivery
SMTP (simple mail transfer protocol) forms the core of email transmission between servers and, in some cases, from clients to servers. Its role has evolved with internet standards and rising security needs.
- Port 25: The original and still primary port for server-to-server SMTP traffic. When a message is relayed between a mailserver and a remote mail host, port 25 is used. The encryption extension STARTTLS can upgrade this connection, but is not always enforced.
Due to its abuse by spammers, many ISPs deliberately block client outbound access to port 25, making its use mostly server-exclusive today.
Port 587: Known as the “submission” port. Designed explicitly for end-users (email clients like Thunderbird, Roundcube, etc.) submitting outbound mail to their provider. Unlike port 25, port 587 requires authentication and is expected to use STARTTLS for security. Thus, everyday users typically configure their outgoing (SMTP) settings to use port 587.
Port 465: Once used unofficially as “smtps” (SMTP over SSL/TLS), this port was deprecated but later reinstated by the IANA. Some providers offer it as a way for clients to connect using implicit SSL/TLS from the outset. While port 465 isn’t as widely used as 587, it still offers direct, always-encrypted submission for some clients.
IMAP and its alternatives: reading your mail
IMAP (internet message access protocol) allows mail clients to retrieve messages from a central server, maintaining synchronization across devices.
Port 143: The standard IMAP port. Connections here start unencrypted and, like SMTP, can be “upgraded” to encrypted status using STARTTLS. For historical and compatibility reasons, this port still sees significant use, though encryption is strongly encouraged.
Port 993: Secure IMAP (commonly called IMAPS) runs here. It uses implicit TLS, meaning the connection starts out encrypted. This is the go-to for secure email retrieval in most client software today.
Email client configuration
A typical configuration for fetching your mail from the mailserver mx.example.com looks like:
Incoming IMAP server: mx.example.com
Port: 993
Security: SSL/TLS
Username: you@example.com
Password: your-super-secure-passwordThe config for sending emails:
Outgoing SMTP server: mx.example.com
Port: 587
Security: STARTTLS (or "require encryption")
Username: you@example.com
Password: your-super-secure-passwordJMAP: a modern approach
JMAP (JSON meta application protocol) is a greatly simplified protocol by Fastmail that has not yet seen widespread adoption. Despite it similifying APIs, overly complicated exchange/upgrade protocols, increasing flexibility, and requiring encryption from the start, it hasn’t been adopted by the email giants like Gmail, Outlook, etc.
JMAP isn’t tied to traditional email ports - it leverages HTTPS for communication, allows clients to manage messages, calendars, and contacts using JSON formatting. JMAP adoption would reduce bandwidth and simplify multi-device synchronization, especially over mobile networks.
Regardless, the open-source mailserver Stalwart Mail supports JMAP out of the box. This is also the mailserver we recommend for self-hosters because of privacy and security reasons, as well as ease of use and flexibility.
It is speculated that JMAP will never see widespread adoption and suffers from its flaws, but a modern email protocol that’s not plagued by past bad design decisions is long overdue.
Providers supporting JMAP typically direct you to a URL such as:
https://example.hexname.com/jmapSummary
| Port | Protocol | Use Case | Encryption |
|---|---|---|---|
| 25 | SMTP | Server-to-server mail delivery | STARTTLS optional |
| 587 | Submission | Client outgoing mail | STARTTLS required |
| 465 | SSMTPS | Legacy/alternate encrypted SMTP | SSL/TLS required |
| 143 | IMAP | Client mail retrieval | STARTTLS optional |
| 993 | IMAPS | Secure mail retrieval | SSL/TLS required |
| 443 | JMAP/HTTPS | Modern mail access (web API) | SSL required |
If you need to set up DNS records for your mailserver without nonsense, and fast, you can use a service like HexName to own your mail infrastructure.