Best SMTP Settings for Reliable Email Delivery in 2025

A short answer first

For almost every production workload in 2025 you want port 587 with STARTTLS and AUTH LOGIN over an encrypted channel, or port 465 with implicit TLS if your library supports it cleanly. Port 25 is reserved for server-to-server relay and is widely blocked for outbound use.

That single line will solve 80 percent of "my email is not sending" tickets. The rest of this guide explains the why and the edge cases.

Picking the right port

Cloud platforms like AWS, GCP, and many residential ISPs block outbound port 25. If your application runs in a VPC and SMTP suddenly stops working after a migration, the firewall is usually the cause.

Encryption: STARTTLS vs implicit TLS

Both deliver the same protection when correctly configured. The historical argument against STARTTLS was that a man-in-the-middle could strip the upgrade, but every serious client now enforces *require TLS* and aborts the session if the upgrade fails.

Use STARTTLS (587) when:

• Your client library defaults to it.
• You want to interoperate with the widest set of servers.

Use implicit TLS (465) when:

• You want the cleanest cryptographic story (encrypted from byte one).
• You are connecting to a provider that documents 465 as preferred (Zoho, FastMail, some Postfix builds).

Authentication mechanism

Prefer AUTH LOGIN or AUTH PLAIN over an encrypted channel for password-based credentials. For OAuth-protected mailboxes (Gmail Workspace, Microsoft 365 with modern auth), use XOAUTH2 and refresh the token before each batch.

Never enable AUTH CRAM-MD5 as a primary mechanism — it predates modern TLS and forces the server to store passwords in a recoverable form.

Connection pooling and timeouts

Real-world SMTP problems usually surface under load, not in tests. Production defaults to use:

• Connection timeout: 10 seconds. SMTP handshakes that take longer almost always indicate a network issue.
• Socket timeout: 30 seconds. Long enough to send a large message body.
• Pool size: 5–10 concurrent connections per worker. Most providers throttle aggressively above this.
• Keep-alive: Reuse sockets for batches. Reopening a TLS session for every recipient adds 200–400 ms of needless latency.

Sender identity: SPF, DKIM, DMARC

The SMTP layer accepts your connection. The deliverability layer decides whether the message reaches the inbox. Three records are non-negotiable in 2025:

1. SPF — authorise your sending IPs.
2. DKIM — sign each message with a 2048-bit key published in DNS.
3. DMARC — publish a policy (start with p=none, monitor reports, then move to p=quarantine or p=reject).

Gmail and Yahoo now reject high-volume mail that fails DMARC alignment. There is no workaround.

Provider quick-reference

Gmail:        smtp.gmail.com:587 STARTTLS, app password
M365:         smtp.office365.com:587 STARTTLS, UPN
SendGrid:     smtp.sendgrid.net:587 STARTTLS, "apikey" + API key
Mailgun:      smtp.mailgun.org:587 STARTTLS, postmaster@domain
Amazon SES:   email-smtp.<region>.amazonaws.com:587 STARTTLS, SMTP credentials
Postmark:     smtp.postmarkapp.com:587 STARTTLS, server token as both user/pass
Zoho:         smtp.zoho.com:465 SSL, full email address

Test before you ship

Run every change through SMTPTester before deploying. A 30-second test that confirms the connection, TLS negotiation, and authentication will save hours of customer-support work later.