STARTTLS vs Implicit TLS Explainer
Three SMTP ports, two TLS modes, one extremely common misconfiguration. This guide picks the right combo.
| Port | Use | TLS mode | Note |
|---|---|---|---|
| 25 | Server-to-server relay | STARTTLS (opportunistic) | Often unencrypted in legacy paths. MTA-STS / DANE fixes this for inbound. |
| 465 | Submission (legacy) | Implicit TLS (SMTPS) | Connection is TLS from the first byte. Resurrected in RFC 8314 (2018). |
| 587 | Submission (modern) | STARTTLS required | Default for mail clients. Requires authentication. |
| 2525 | Alternative submission | STARTTLS or implicit | Used by ESPs (SendGrid, Mailgun) when ISPs block 25/587. |
On port 25 with opportunistic STARTTLS, a man-in-the-middle can strip the STARTTLS advertisement and force plaintext. MTA-STS and DANE were designed to prevent this. Mail clients on port 587 should always REQUIRE STARTTLS, not just attempt it.
Per-port reference (25, 465, 587, 2525) with the right TLS mode for each. Includes the STRIPTLS downgrade-attack note.
Configuring a relay. Configuring a mail client. Diagnosing 'works in some clients, fails in others'.
FAQ
Keep going
Articles, glossary entries, and other tools on the same topic.
You know the rule. See where you sit against it.
Reference pages tell you the benchmark. Outsolvi tells you whether your team is above or below it — per-rep, per-deal, per-week — and which behavior changes move the number. From $7/user/mo yearly.
See your numberNate built Outsolvi after watching every email-tracking tool he had ever used lie to him about opens. Outsolvi runs Tier 1 to 5 confidence scoring on every open, native in Outlook and Gmail, so the number on the dashboard is one a rep can actually act on.
We update these pages when the underlying mechanics change — new mailbox-provider rules, new tracker behavior, new measurement gaps. The dates above are real revisions, not auto-touches.