✉️

SMTP Test Tool

Look up SMTP settings, generate config code, troubleshoot errors, and check DNS records

Select Email Provider

SMTP Configuration Generator

Fill in your server details to generate ready-to-use code snippets

SMTP Host

Port

Security Protocol

Username

Password / API Key

From Name

From Email

To Email (Test Recipient)

Subject

Message Body

Generated Code Snippet

Values update live as you type above. Copy the snippet and paste directly into your project.

SMTP Error Code Reference

Searchable table of all common SMTP response codes with fix suggestions

Code	Name	Description	How to Fix

DNS Record Examples

Template SPF, DKIM, DMARC, MX, and PTR records for your domain

Your Domain

Note: This tool shows template/example DNS records for educational reference. It cannot perform live DNS lookups (static site). For live checks, use MXToolbox, DNSChecker.org, or nslookup from your terminal. Allow 15–60 minutes for DNS changes to propagate.

SMTP Port Quick Reference

587

STARTTLS

Recommended standard

465

SSL/TLS

Implicit TLS

Plain / None

Server-to-server only

2525

STARTTLS (alt)

Fallback if 587 blocked

What is SMTP and How Does It Work?

SMTP (Simple Mail Transfer Protocol) is the standard communication protocol for sending email across the internet. When you click "Send" in any email client or application, SMTP handles the transmission of your message from your mail client to your mail server, and then from mail server to mail server until it reaches the recipient's inbox. SMTP was originally defined in RFC 821 in 1982 and has been updated numerous times, with the current standard being RFC 5321.

The SMTP conversation follows a strict command-response pattern. The client connects, identifies itself with EHLO, authenticates, specifies the sender with MAIL FROM, specifies recipients with RCPT TO, sends the message body after the DATA command, and closes with QUIT. Every step the server responds with a three-digit status code indicating success (2xx), temporary failure (4xx), or permanent failure (5xx).

SMTP Authentication Methods

Modern SMTP servers require authentication to prevent unauthorized relay of email (spam). The most common authentication mechanisms are:

AUTH LOGIN — Username and password transmitted as separate Base64-encoded strings. Simple but credentials are visible in logs.
AUTH PLAIN — Username and password combined in a single Base64-encoded string. Similar security to AUTH LOGIN.
AUTH XOAUTH2 / OAuth2 — Token-based authentication used by Gmail, Office 365, and Yahoo. More secure as credentials never leave the provider.
CRAM-MD5 — Challenge-response mechanism where the password is never transmitted, only a hash. Less common today.

STARTTLS vs SSL/TLS — Understanding the Difference

Both STARTTLS and SSL/TLS encrypt the SMTP connection, but they work differently. SSL/TLS (port 465) creates an encrypted tunnel before any SMTP communication begins — the entire session is encrypted from byte one. STARTTLS (port 587) begins as a plaintext SMTP session and then issues the STARTTLS command to upgrade the connection to TLS mid-session. If STARTTLS negotiation fails and the server accepts plain connections, there is a risk of downgrade attacks. Both are secure when properly configured; modern best practice (RFC 8314) recommends SSL/TLS (implicit TLS) for new deployments.

Email Authentication: SPF, DKIM, and DMARC Explained

Configuring SMTP correctly is only half the battle — proper email authentication records are equally critical for inbox delivery:

SPF (Sender Policy Framework) — A DNS TXT record at your domain root listing authorized sending IP addresses and mail services. Prevents anyone from spoofing your domain as the sender.
DKIM (DomainKeys Identified Mail) — Adds a cryptographic RSA signature to email headers, signed with your private key. Receiving servers verify the signature against the public key published in your DNS. Ensures the email was not tampered with in transit.
DMARC (Domain-based Message Authentication, Reporting and Conformance) — Ties SPF and DKIM together with a policy record that tells receiving servers what to do when a message fails authentication: p=none (monitor only), p=quarantine (send to spam), or p=reject (discard). Also enables aggregate reporting to help you identify spoofing attempts.

Provider-Specific SMTP Configuration Notes

Provider	SMTP Host	Port (STARTTLS)	Port (SSL)	Auth Requirement
Gmail	smtp.gmail.com	587	465	App Password (2FA required)
Outlook	smtp.office365.com	587	—	OAuth2 or App Password
Yahoo	smtp.mail.yahoo.com	587	465	App Password (2FA required)
Zoho	smtp.zoho.com	587	465	Account credentials
ProtonMail	smtp.protonmail.ch	587	—	Proton Bridge (desktop)
SendGrid	smtp.sendgrid.net	587 / 2525	465	Username: apikey / Password: API key
Mailgun	smtp.mailgun.org	587 / 2525	465	SMTP credentials from dashboard
Amazon SES	email-smtp.<region>.amazonaws.com	587 / 25	465	IAM-generated SMTP credentials

Common SMTP Troubleshooting Scenarios

Connection Timeout

A connection timeout when trying to connect to port 587 or 465 usually means the port is blocked. Most ISPs and cloud providers (AWS EC2, Google Cloud, Azure) block outbound port 25 by default. Try port 2525 as an alternative, or use your mail provider's relay service. For servers you control, check the firewall rules and ensure the SMTP port is open for outbound traffic.

Authentication Failures (Error 535)

The most frequent error for consumer email accounts. For Gmail and Yahoo, this almost always means you are using your regular account password instead of an App Password. App Passwords are 16-character device-specific passwords generated in your account security settings. Regular passwords are rejected when 2FA is active. For business accounts on Office 365, SMTP AUTH must be explicitly enabled per-mailbox.

Email Delivered to Spam

If email sends successfully via SMTP but arrives in spam, the issue is with sender reputation and authentication records rather than SMTP configuration. Start by testing your domain with mail-tester.com or MXToolbox. Common causes include missing SPF or DKIM records, no DMARC policy, the sending IP being on a blacklist, low volume sending history, or message content triggering spam filters.

Frequently Asked Questions

What SMTP port should I use — 25, 465, or 587?

Port 587 with STARTTLS is the recommended choice for sending email from applications and clients in 2025. Port 465 with SSL/TLS is also widely supported and sometimes preferred. Port 25 is the original SMTP port used between mail servers (MTA-to-MTA relay) but is blocked by most ISPs and cloud providers for outbound client use to prevent spam. Port 2525 is an unofficial alternative offered by some providers when 587 is blocked.

Why does Gmail SMTP require an App Password?

When Two-Factor Authentication (2FA) is enabled on your Google account, Google blocks the use of your regular password for less-secure app access including SMTP. Instead, you must generate an App Password — a 16-character code created specifically for the application. Go to Google Account → Security → 2-Step Verification → App Passwords to generate one. The App Password is used instead of your regular Gmail password in your SMTP configuration.

What is the difference between STARTTLS and SSL/TLS for SMTP?

SSL/TLS (port 465) creates an encrypted connection from the very first byte — the entire communication is wrapped in TLS before any SMTP commands are exchanged. STARTTLS (port 587) starts as a plain-text connection and then upgrades to TLS mid-session using the STARTTLS command. Both provide strong encryption. STARTTLS is the modern standard recommended by RFC 8314, while SSL/TLS on port 465 was historically deprecated but has been widely revived in practice.

What do SPF, DKIM, and DMARC do for email?

SPF (Sender Policy Framework) is a DNS TXT record that lists which servers are authorized to send email for your domain — it prevents spoofing of your domain. DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every outgoing email, proving the message was not altered in transit. DMARC ties SPF and DKIM together with a policy telling receiving servers what to do when an email fails authentication — reject it, quarantine it, or allow it. All three records are essential for good email deliverability.

Why is my email going to spam even though SMTP is configured correctly?

SMTP authentication only ensures that the email is sent — it does not guarantee inbox placement. Common reasons emails land in spam even with correct SMTP: missing or misconfigured SPF, DKIM, or DMARC records; sending IP on a blacklist; no reverse DNS (PTR) record; sending too many emails too quickly; spam-like content or subject lines; low sender reputation; and no prior sending history from the domain. Use mail-tester.com to evaluate your sender score before bulk sends.

What does SMTP error 535 mean and how do I fix it?

SMTP error 535 means authentication failed — the server rejected your username or password. Common fixes: (1) Gmail — use an App Password instead of your regular password; 2FA must be enabled first. (2) Yahoo — generate an App Password in Yahoo Account Security. (3) Office 365 — ensure SMTP AUTH is enabled for the mailbox in Microsoft 365 admin center under Active users → Mail → Manage email apps. (4) Double-check the username is the full email address, not just the local part before the @ symbol.

Can I test my SMTP server without sending a real email?

Yes. Use the Telnet or OpenSSL commands shown in the Advanced tab of this tool to manually walk through the SMTP handshake. Connect with telnet smtp.example.com 587, run EHLO, STARTTLS, AUTH LOGIN, and MAIL FROM commands to test connectivity and authentication without fully sending a message. For SSL ports, use openssl s_client -connect smtp.example.com:465 instead of telnet. This reveals exactly where the connection fails.