What is port 25 and why is it often blocked

Port 25 is the default port for SMTP (Simple Mail Transfer Protocol), the protocol used to send email between mail servers. When your mail server sends an email to someone at gmail.com, it connects to Gmail’s mail server on port 25 and delivers the message. Port 25 has been the standard for email delivery since 1982, and it remains the port that mail servers use to communicate with each other.

It is also one of the most commonly blocked ports on hosting platforms, cloud providers, and ISPs. The reason is spam. Port 25 is open by default on most servers, which means a compromised server or a malicious user can send email directly to any mail server in the world without going through an email service provider. This makes port 25 the favorite tool for spammers, and blocking it is the simplest way to prevent a hosting platform from being used as a spam relay.

This guide explains what port 25 does, why it is blocked, what to use instead, and how all the common ports relevant to web hosting relate to each other.

What network ports are#

A port is a number between 1 and 65535 that identifies a specific service running on a server. When your browser connects to a web server, it connects to an IP address on a specific port. The IP address identifies the server. The port identifies which service on that server should handle the connection.

Think of it like a building address (the IP) and an apartment number (the port). The address gets you to the building. The apartment number gets you to the right door.

Ports 1-1023 are “well-known ports” assigned to common services by IANA (Internet Assigned Numbers Authority). Ports 1024-49151 are “registered ports” that can be used by applications. Ports 49152-65535 are “dynamic ports” used for temporary connections.

Port 25: SMTP#

SMTP on port 25 handles server-to-server email delivery. When your email provider sends a message to the recipient’s email provider, the connection goes over port 25.

The process:

1. You compose an email and click send
2. Your email client sends the message to your outgoing mail server (usually on port 587 or 465, not port 25)
3. Your outgoing mail server looks up the recipient domain’s MX records to find the destination mail server
4. Your mail server connects to the destination mail server on port 25
5. The destination server accepts the message and delivers it to the recipient’s inbox

Step 4 is where port 25 matters. It is the port that mail servers use to talk to each other. Your email client almost never connects to port 25 directly. The distinction between client-to-server submission (ports 587/465) and server-to-server delivery (port 25) is important for understanding why blocking port 25 does not prevent you from sending email through a legitimate email service.

Why port 25 is unencrypted by default

SMTP on port 25 was designed before encryption was a concern. The original protocol sends everything in plaintext. Modern mail servers support STARTTLS, which upgrades the connection to encrypted after the initial plaintext handshake. Most legitimate mail servers now require STARTTLS on port 25, but the protocol still starts unencrypted, and some servers still accept plaintext connections.

This is one more reason port 25 is a security concern. A server sending email on port 25 without STARTTLS is transmitting email content, headers, and routing information in plaintext.

Why hosting providers block port 25#

Almost every major hosting provider and cloud platform blocks outbound port 25 by default: AWS, Google Cloud, Azure, DigitalOcean, Linode, Vultr, and most shared hosting platforms including Hostney. The reason is consistent across all of them: spam prevention.

A compromised server becomes a spam relay. If a WordPress site on your server gets hacked, the attacker can use PHP’s mail() function to send email directly through port 25. Without port 25 blocked, the attacker can send thousands of spam emails per hour using your server’s IP address. This gets your IP blacklisted, which means legitimate email from every other site on that server also stops being delivered.

A single spammer ruins the IP reputation for everyone. On shared hosting, many customers share the same server IP address. If one customer’s site sends spam through port 25, email reputation services blacklist the IP. Every other customer on that server is now unable to send email reliably. Blocking port 25 prevents any single account from causing this cascade.

PHP’s mail() function uses port 25 by default. When a WordPress plugin or PHP application calls mail() , it hands the message to the local mail transfer agent (usually Postfix or Sendmail on Linux), which tries to deliver it directly to the recipient’s mail server on port 25. If port 25 is open, this works. If the site is compromised, thousands of spam emails can be sent before anyone notices.

IP reputation is easier to destroy than to build. Getting on an email blacklist takes one spam incident. Getting off takes days to weeks of clean sending history and delisting requests. Hosting providers block port 25 proactively because the cost of cleanup far exceeds the cost of requiring customers to use SMTP relay services.

What to use instead of port 25#

Blocking port 25 does not mean you cannot send email from your server. It means you cannot send email directly to recipient mail servers. Instead, you send email through an SMTP relay service that handles the actual delivery.

SMTP relay services

An SMTP relay (also called a transactional email service) accepts email from your server on port 587 or 465 and delivers it to the recipient on your behalf. The relay service manages IP reputation, handles bounces, processes unsubscribes, and ensures your email is authenticated with SPF, DKIM, and DMARC.

Common SMTP relay services:

• SendGrid – free tier includes 100 emails/day
• Mailgun – free tier includes 5,000 emails/month for 3 months
• Amazon SES – very low cost at scale ($0.10 per 1,000 emails)
• Postmark – focused on transactional email with high deliverability
• SMTP2GO – straightforward SMTP relay with good reporting

For WordPress, install an SMTP plugin (WP Mail SMTP is the most popular) and configure it with your relay service’s credentials. The plugin overrides PHP’s mail() function and sends email through the relay on port 587 instead of trying to deliver directly on port 25.

Port 587 vs port 465

These are the two ports used for email submission (client-to-server, or application-to-relay).

Port 587 (Submission) is the standard port for email submission with STARTTLS. The connection starts in plaintext and upgrades to encrypted via the STARTTLS command. This is the port most SMTP relay services use and the one you should configure in your WordPress SMTP plugin.

Port 465 (SMTPS) was originally assigned for implicit TLS (encrypted from the first byte). It was briefly deprecated in favor of 587+STARTTLS but has been re-standardized. Some services support both. If port 587 does not work (some ISPs or networks block it), try 465.

Both ports are used for authenticated submission. You provide a username and password (or API key) to the relay service, and the connection is encrypted. Neither port is blocked by hosting providers because they require authentication, which prevents abuse.

All the ports relevant to web hosting#

Port 80 and 443: web traffic

Port 80 serves HTTP (unencrypted web traffic). Port 443 serves HTTPS (encrypted web traffic). Every web server listens on one or both of these ports. Modern sites should serve all traffic on port 443 and redirect port 80 to HTTPS.

Port 22: SSH and SFTP

Port 22 handles SSH connections (remote terminal access) and SFTP (secure file transfer). A single encrypted connection handles authentication, commands, and file data. Unlike FTP, no additional ports are needed.

Port 3306: MySQL

Port 3306 is the default MySQL port. On most hosting platforms, MySQL only listens locally (127.0.0.1) and does not accept remote connections unless explicitly configured. Exposing port 3306 to the internet without proper authentication and firewall rules is a significant security risk.

Checking which ports are open#

From the server

# List all listening ports
ss -tlnp

This shows every port with a process listening on it. The output includes the port number, the protocol (TCP), and the process name.

From outside the server

# Test if a specific port is open
nc -zv example.com 25
nc -zv example.com 587
nc -zv example.com 443

If the connection succeeds, the port is open. If it is refused, nothing is listening. If it times out, a firewall is blocking it.

Testing email delivery

# Test if you can connect to a mail server on port 25
nc -zv gmail-smtp-in.l.google.com 25

If this times out from your hosting server but works from your local machine, outbound port 25 is blocked on the hosting server. This is expected and correct behavior.

# Test if your SMTP relay works on port 587
nc -zv smtp.sendgrid.net 587

This should succeed. Port 587 is not blocked.

Port 25 on Hostney#

Outbound port 25 is blocked on all Hostney servers. This means your WordPress site cannot send email directly to recipient mail servers using PHP’s mail() function. This is intentional. Direct sending on port 25 results in poor deliverability even when it works, because shared hosting IP addresses are not trusted by major email providers.

Instead, configure an SMTP relay service. In your WordPress admin, install WP Mail SMTP (or a similar plugin), enter your relay service’s SMTP credentials (host, port 587, username, password), and all outgoing email from WordPress (order confirmations, password resets, contact form submissions, notification emails) will be delivered through the relay with proper authentication and encryption.

This is not a limitation. It is how email should be sent from a web application. Even on servers where port 25 is open, using an SMTP relay provides better deliverability, better tracking, and better abuse prevention than direct sending.

Quick reference#