Short answer: Port 587 is not encrypted by default — but it is the standard port for encrypted SMTP submission via STARTTLS. Whether your message is actually encrypted depends on how your client and server negotiate the connection.
How encryption works on port 587
- The client opens an unencrypted connection to port 587.
- The server announces support for STARTTLS.
- The client issues
STARTTLSand the connection is upgraded to TLS. - Authentication and the email body are now encrypted.
Port 587 vs. 465 vs. 25
| Port | Use | Encryption |
|---|---|---|
| 587 | Modern SMTP submission | STARTTLS (recommended) |
| 465 | Legacy SMTPS | Implicit TLS from start |
| 25 | Server-to-server relay | Often blocked, opportunistic TLS |
Make sure your port 587 connection is encrypted
- Enable STARTTLS (or "TLS / Auto") in your email client.
- Require authentication (SMTP AUTH).
- Verify the server certificate is valid.
- Add SPF, DKIM and DMARC records to your domain.
Use a hardened SMTP — try Mailpro free
Mailpro's SMTP relay enforces TLS, signs every message with DKIM and follows SPF/DMARC best practices out of the box. Discover Mailpro SMTP · Deliverability hub
Related reading: