Last updated: July 2026

In short: Oracle Cloud Infrastructure (OCI) blocks outbound TCP port 25 to the internet by default for all tenancies created after June 23, 2021. Requesting an exemption requires opening a formal service limits increase request. Alternatively, authenticated smarthost relaying via port 587 remains fully accessible.

When deploying a self-hosted email infrastructure on an Oracle Cloud Infrastructure (OCI) compute instance, direct outbound delivery to remote mail servers often encounters connection timeouts. Whether your instance can route traffic over TCP port 25 depends entirely on the creation date of your OCI tenancy.

The cutoff date: June 23, 2021

Oracle instituted a hard cutoff policy to combat outbound spam and safeguard its global data center IP reputation. In official OCI virtual cloud network documentation, the provider states: Tenancies made after June 23, 2021 are by default not allowed to send e-mail through outbound TCP port 25 to the internet. Tenancies made before June 23, 2021 are unaffected. If you require the ability to send email from your tenancy, open a service limits request to obtain an exemption.

Under this rule, older accounts registered prior to the cutoff date continue operating without network edge restrictions on port 25, whereas newer tenancies have outbound TCP port 25 blocked by the OCI network gateway by default.

Requesting an exemption via service limits

If your application architecture necessitates direct outbound delivery over port 25, you must submit a formal exemption application. In OCI, this workflow is handled explicitly through the service limits escalation system rather than general technical support (open a service limits request).

During the review process, Oracle support evaluates your operational requirement. Before opening the limit request, ensure your compute instance has a valid reverse DNS (PTR) record published within the OCI console alongside configured SPF and DKIM authentication records to verify legitimate sending intent.

IP reputation reality check

Even if Oracle approves your service limits request and unblocks port 25 on your tenancy, delivering email directly from OCI compute IP addresses carries substantial deliverability hurdles. Because OCI dynamically allocates public IP pools across thousands of tenants—accentuated by turnover from its popular Free Tier—data center subnets inherit pre-existing negative reputation history.

Frequently, OCI IP ranges appear on aggressive blocklists (DNSBLs) such as UCEPROTECT (Level 2 or 3) and Spamhaus. Major receiving providers (including Gmail, Outlook, and Yahoo) strictly scrutinize direct traffic originating from hosting subnets, frequently routing messages to spam folders or quarantining them despite valid authentication headers.

Smarthost relaying via port 587

To bypass the service limits request queue and avoid the deliverability risks of hosting subnets, you can route your outbound mail via port 587 (Submission) through an authenticated smarthost relay. Port 587 is designed for client submission and is unaffected by the June 2021 tenancy cutoff date restriction.

A standard Postfix configuration (/etc/postfix/main.cf) for relaying through an external smarthost over port 587 looks like this:

relayhost = [smtp.provider.com]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_security_level = encrypt

Or send reliably via Dispatch. If you want to avoid service limit requests, blocklist monitoring, reverse DNS configuration audits, and managing an external smarthost relay, you can route your outbound mail quickly and securely via Dispatch.

Verifying your configuration

Once your external smarthost or relay path is active, verify your email authentication headers (SPF, DKIM, DMARC) and overall domain health using the free MXAudit scanner.

Further reading