The Legacy of SMTP “Port 25” Support in Azure Virtual Machines

Simple Mail Transfer Protocol (SMTP) has served as the foundation of email communication, with port 25 acting as the traditional channel for mail transmission. However, as cloud computing advances, security concerns and anti-spam measures have led to restrictions on this legacy protocol.

Microsoft Azure, like other major cloud providers, enforces limitations on outbound SMTP traffic over port 25 to prevent abuse and maintain network integrity.

This blog examines the historical significance of port 25 in email transmission, its role in Azure VMs, the restrictions Microsoft has implemented, and the recommended alternatives for sending emails from Azure based applications.

The Historical Role of SMTP “Port 25”

SMTP was first defined in RFC 821 and later updated in RFC 5321 as a simple, text-based protocol for sending emails between servers. Port 25 emerged as the standard for SMTP communication, enabling direct mail server-to-server exchanges.

In the early internet era, open SMTP relays were widespread, allowing servers to forward emails without strict authentication. Unfortunately, this openness was exploited by spammers, leading to significant abuse. In response, Internet Service Providers (ISPs) and cloud platforms, including Azure, implemented restrictions to combat spam and phishing attacks.

Port 25 in Azure Virtual Machines

Azure VMs offer flexible infrastructure for hosting applications, including email services. However, due to the risks associated with open SMTP relays, Microsoft blocks outbound traffic on port 25 by default. This measure prevents compromised VMs from being used as spam relays.

Key Restrictions on Port 25 in Azure

By default, new Azure subscriptions block outbound SMTP traffic on port 25 at the network level. Attempting to send emails directly via port 25 from a VM typically results in connection failures unless an exception is granted.

Customers with Azure Enterprise Agreement (EA) subscriptions or Pay-As-You-Go subscriptions can request the removal of this block by contacting Microsoft support. However, approval is subject to a review process to ensure legitimate use cases.

Instead of relying on port 25, Microsoft recommends using authenticated SMTP submission ports such as 587 or 465 with TLS, or leveraging Azure Communication Services Email for scalable email delivery.

Why Azure Restricts Port 25

Azure's restrictions on SMTP port 25 stem from several security and operational concerns. Open SMTP relays are prime targets for spammers, and by restricting port 25, Azure reduces the risk of its IP ranges being blacklisted.

Email providers like Microsoft 365 and Google enforce strict anti-spam policies, and Azure’s restrictions help maintain the reputation of its network. Modern email transmission relies on

authenticated and encrypted channels, such as TLS on ports 587 or 465, whereas port 25 often lacks mandatory encryption.

Recommended Alternatives to Port 25 in Azure

While some enterprises may justify opening port 25 for legacy systems, most modern applications should adopt more secure and scalable alternatives.

Authenticated SMTP Submission (Port 587 or 465)

Instead of direct SMTP relay over port 25, applications should use port 587, the standard for SMTP email submission with STARTTLS encryption. Port 465, though older, is still supported for implicit TLS. These ports require authentication, such as a username and password or API keys, reducing the risk of unauthorized use. Azure VMs can integrate with third-party email services like SMTP2Go, SendGrid, Mailgun, or Microsoft 365 SMTP for reliable delivery.

Azure Communication Services Email

Microsoft’s Azure Communication Services offers a cloud-based email solution that bypasses traditional SMTP limitations. This service provides scalability, handling large email volumes without the need to manage SMTP servers. It includes built-in security features such as OAuth 2.0 authentication and integration with Azure Active Directory. Additionally, it optimizes deliverability, reducing the risk of emails being flagged as spam.

Third-Party Email Relay Services

Services like SendGrid, SMTP2Go, Mailjet, and Postmark provide SMTP APIs that work seamlessly within Azure. These services offer dedicated IPs to improve email deliverability, along with analytics and tracking to monitor email opens, clicks, and bounces. They also ensure compliance with anti-spam regulations such as CAN-SPAM and GDPR.

How to Configure SMTP in Azure VMs (When Necessary)

For organizations that must use SMTP port 25, such as for legacy applications, specific steps can be taken. Enterprise Agreement customers can submit a request via the Azure portal to unblock port 25, providing justification and details on anti-spam measures like IP restrictions and rate limiting.

Another approach is to use a dedicated SMTP relay service, configuring an on-premises or cloud-based relay that forwards emails via permitted ports. Implementing rate limiting and monitoring ensures outbound emails comply with Azure’s acceptable use policy, avoiding service suspension.

Although SMTP port 25 remains a foundational protocol for email, its open nature presents significant security risks in cloud environments. Azure’s restrictions on outbound port 25 traffic aim to prevent abuse while encouraging modern, secure alternatives such as authenticated SMTP on ports 587 or 465 and Azure Communication Services Email.

Enterprises with legacy dependencies may request exceptions, but the long-term solution lies in migrating to authenticated, encrypted email delivery methods. By adopting these best practices, businesses can ensure reliable email communication without compromising security or deliverability.

If you have a legacy solution that still requires Port 25 for email transactions and need assistance with solutions that solve this problem, please contact your Surestep Ambassador team at

This email address is being protected from spambots. You need JavaScript enabled to view it. to assist you with possible guidance around other solutions available to aid your mission.