Infrastructure

SMTPSimple Mail Transfer Protocol

Q: What is the SMTP envelope?

The envelope is the MAIL FROM and RCPT TO exchanged during the SMTP conversation. It controls actual routing and bounce handling and is what SPF checks. It is separate from the visible From: and To: headers inside the message, which is why an email can pass SPF on the envelope yet fail DMARC alignment on the header.

Q: What do SMTP reply codes mean?

Each command gets a three-digit reply. 2xx means success, 4xx is a temporary failure that triggers a retry (a soft bounce), and 5xx is a permanent failure (a hard bounce). The codes are how senders learn whether mail was accepted, deferred, or rejected.

Definition

SMTP (Simple Mail Transfer Protocol) is the standard that moves email between servers across the internet. Defined in RFC 5321, it is a text-based conversation of commands like MAIL FROM, RCPT TO, and DATA, each answered with a numeric reply code. Server-to-server relay runs on port 25, while mail clients submit on port 587 or 465.

The protocol every server uses to hand email to the next server
A scripted exchange of commands, each met with a numeric reply code
Port 25 relays between servers; 587 and 465 are for authenticated submission
The SMTP envelope is separate from the visible From: header

At a glance

Stands for Simple Mail Transfer Protocol

Defined in RFC 5321 (2008)

Relay port 25

Submission ports 587 (STARTTLS) · 465 (implicit TLS)

Core commands HELO/EHLO, MAIL FROM, RCPT TO, DATA

Reply codes 2xx ok · 4xx temporary · 5xx permanent

How an SMTP conversation runs

SMTP is a back-and-forth dialogue. The sending server connects, greets the receiver with EHLO (announcing its hostname), then names the sender with MAIL FROM, the recipient with RCPT TO, and finally sends the message itself after DATA. The receiver replies to each step with a three-digit code: 2xx means accepted, 4xx means a temporary failure (a soft bounce), and 5xx means a permanent one (a hard bounce).

A trimmed SMTP transaction (S = server, C = client)

S: 220 mail.example.com ESMTP ready
C: EHLO sender.example.net
S: 250-mail.example.com
S: 250 STARTTLS
C: MAIL FROM:<alice@sender.example.net>
S: 250 2.1.0 Ok
C: RCPT TO:<bob@example.com>
S: 250 2.1.5 Ok
C: DATA
S: 354 End data with <CR><LF>.<CR><LF>
C: Subject: Hello
C: .
S: 250 2.0.0 Ok: queued

The ports: 25 for relay, 587 and 465 for submission

Not every SMTP port does the same job, and using the wrong one is a frequent source of trouble:

25: server-to-server relay, the port one mail server uses to deliver to another. It is unauthenticated and widely blocked on consumer connections to curb spam, so it is not for mail clients.
587: the standard submission port (RFC 6409) for a mail client or app to hand mail to its provider. It requires authentication and upgrades to encryption with STARTTLS.
465: submission with implicit TLS (RFC 8314), encrypted from the very first byte. Now recommended alongside 587 for client submission.

The rule of thumb: applications and devices submit on 587 or 465 with a username and password; servers relay to each other on 25.

The envelope vs the header

SMTP draws a line that confuses many senders: the envelope versus the message headers. The envelope is the MAIL FROM and RCPT TO exchanged in the SMTP conversation; it controls where the message actually goes and where bounces return, and it is what SPF checks. The headers (From:, To:, Subject:) travel inside the DATA block and are what the recipient sees.

The two can differ, and legitimately do: a newsletter might carry an envelope Return-Path at your ESP’s domain while the visible From: is your brand. That gap is precisely why DMARC exists, to require that the authenticated domain aligns with the From: the reader actually sees. Understanding the split is the key to reading an email header.

SMTP and deliverability

Every deliverability signal flows through an SMTP transaction. The receiver runs reverse DNS on your connecting IP, checks the hostname you gave in EHLO (which should be a fully qualified domain name that resolves), validates SPF against your envelope sender, and replies with the code that becomes your bounce. A clean SMTP setup, correct EHLO, encryption on, matching reverse DNS, is the table stakes that lets your authentication and content be judged fairly.

Since February 2024, Google and Yahoo also require senders to use a TLS connection when transmitting mail, so plain unencrypted SMTP to their servers is no longer acceptable for bulk sending. Getting the basics right at the protocol layer prevents a whole class of avoidable rejections.

An SMTP delivery, step by step

The sending server connects to the receiver on port 25

It greets with EHLO and upgrades to TLS

It names the sender (MAIL FROM) and recipient (RCPT TO)

It sends the message after DATA; the receiver replies with a code

2xx: accepted 4xx: try again later 5xx: rejected

On a 2xx reply the message is queued for the inbox

SMTP ports at a glance

	Port 25	Port 587	Port 465
Purpose	Server-to-server relay	Client submission	Client submission
Encryption	Opportunistic	STARTTLS	Implicit TLS
Authentication	None	Required	Required
Defined in	RFC 5321	RFC 6409	RFC 8314

By the numbers

Port 25

The default SMTP port for server-to-server relay, in use since the protocol’s origin.

RFC 5321

The current SMTP specification, published in 2008, which obsoleted RFC 821 and RFC 2821.

Reply-code classes that decide a message’s fate: 2xx accept, 4xx retry, 5xx reject.

Common mistakes

Submitting mail on port 25 from an app

Port 25 is for server relay and is unauthenticated and often blocked. Mail clients and applications should submit on 587 or 465 with authentication.

Sending an EHLO name that does not resolve

RFC 5321 expects the hostname in your greeting to be a fully qualified domain name. A bogus or non-resolving EHLO is a common reason mail is downgraded or rejected.

Confusing the envelope sender with the From: header

SPF authenticates the envelope MAIL FROM, not the visible From: the reader sees. Treating them as one thing is why mail can pass SPF yet still fail DMARC alignment.

Relying on unencrypted SMTP

Since February 2024, Gmail and Yahoo require a TLS connection for incoming mail. Sending in plain text to major providers now risks rejection.

Frequently asked questions

What is SMTP used for?

SMTP is the protocol servers use to send and relay email across the internet. It defines the commands (MAIL FROM, RCPT TO, DATA) and reply codes that move a message from the sender’s server, through any relays, to the receiving mail server. It handles sending; protocols like IMAP and POP handle retrieval.

What is the difference between port 25, 587, and 465?

Port 25 is for server-to-server relay and is unauthenticated. Ports 587 and 465 are for client submission and require authentication: 587 starts plain and upgrades with STARTTLS, while 465 uses implicit TLS that is encrypted from the first byte. Apps should use 587 or 465.

What is the SMTP envelope?

The envelope is the MAIL FROM and RCPT TO exchanged during the SMTP conversation. It controls actual routing and bounce handling and is what SPF checks. It is separate from the visible From: and To: headers inside the message, which is why an email can pass SPF on the envelope yet fail DMARC alignment on the header.

What do SMTP reply codes mean?

Each command gets a three-digit reply. 2xx means success, 4xx is a temporary failure that triggers a retry (a soft bounce), and 5xx is a permanent failure (a hard bounce). The codes are how senders learn whether mail was accepted, deferred, or rejected.

Sources & further reading

RFC 5321 · Simple Mail Transfer Protocol (the current SMTP standard) RFC 6409 · Message Submission for Mail (port 587) RFC 8314 · Cleartext considered obsolete: implicit TLS (port 465)

Reviewed by Jennifer Jackson, Email Deliverability Analyst · June 2026 ← Back to glossary