Last updated: July 2026

In short: Almost every modern cloud and bare metal hosting provider restricts outbound email traffic over TCP port 25 by default to combat spam and safeguard IP reputation. This guide summarizes the policies across 13 major providers, outlines their specific unblocking procedures, and explains why smarthost relaying over port 587 is frequently the superior technical choice.

When deploying a self-hosted email server (such as Postfix, Mailcow, or Microsoft Exchange) on a virtual server or dedicated instance, outbound delivery attempts to remote destinations routinely experience connection timeouts. In most situations, this is caused not by a server misconfiguration, but by an upstream network filter enforced by your cloud provider blocking outbound traffic on TCP port 25.

Why hosting providers block port 25

Because data center IP ranges are dynamically recycled across thousands of developers, bad actors frequently spin up instances to launch automated spam and phishing blasts. Without network edge restrictions on port 25, entire subnets would quickly become listed on global blocklists (DNSBLs) such as Spamhaus and UCEPROTECT, degrading email deliverability for every customer sharing that infrastructure.

Provider policy breakdown (13 platforms)

Each hosting provider implements distinct rules for removing outbound port 25 restrictions—ranging from automated self-service panel toggles to strict account history criteria and identity verification. Choose your provider from the list below to review exact requirements, official quotes, and step-by-step unblocking workflows:

European and German providers

  • Hetzner Cloud & Dedicated: Port 25 is blocked by default across all new cloud servers. After maintaining an active account history for at least one month and paying all invoices, users can submit a manual limit request in the Cloud Console.
  • Netcup: Outbound mail ports are restricted by default. Once all invoices are settled and clean address data is verified, customers can remove the block instantly via a self-service toggle in the Server Control Panel (SCP).
  • Contabo: Outbound traffic is not completely blocked at the network edge, but is governed by strict daily sending volume limits to prevent abuse. Increases require contacting technical support.
  • IONOS: Centrally blocked across Cloud and Dedicated servers. Removing the restriction requires configuring three technical prerequisites (FQDN, rDNS, SPF) and completing a phone verification call with customer service.
  • STRATO: Restricted by default across server products (especially Windows Root servers) for security. Unblocking requires opening a support ticket after setting up valid reverse DNS records.
  • OVHcloud: Blocked across VPS, Dedicated, and Public Cloud instances by default. Customers must open a support inquiry for manual review by the abuse and technical teams.
  • Scaleway: Restricts remote SMTP ports 25, 465, and 587 out of the box. After completing identity verification (KYC), customers can enable outbound SMTP directly within their Security Group settings.

Global cloud platforms and US providers

  • Amazon Web Services (AWS EC2): Outbound port 25 is throttled and blocked for all public IPv4 and IPv6 destinations. Removal requires submitting an official removal request form for each specific AWS region.
  • Microsoft Azure: Open for Enterprise Agreement subscriptions, but permanently blocked for Pay-As-You-Go tiers. Dev/Test subscriptions can request unblocking through the portal diagnostic tool.
  • Google Cloud (GCP Compute Engine): Outbound port 25 to the internet is strictly blocked (even for Google Workspace relays). Google requires routing outbound traffic through authenticated relays on port 587 or 465.
  • DigitalOcean: Blocks outbound ports 25, 465, and 587 across all Droplets and Reserved IPs by default without unblocking exceptions, strongly advising third-party email providers.
  • Vultr: TCP port 25 is included in the default outbound blocked ports list, but can be removed upon manual request by opening a technical support ticket.
  • Oracle Cloud Infrastructure (OCI): Blocked by default for all tenancies created after June 23, 2021. Sending mail requires submitting a formal service limits increase request to obtain an exemption.

The underlying challenge: data center IP deliverability

Even if your hosting provider approves your request and unblocks outbound port 25, delivering mail directly from a cloud instance presents major deliverability hurdles. Major receiving platforms—including Gmail, Yahoo, Apple iCloud, and Microsoft Outlook—apply aggressive filtering algorithms to traffic originating from data center subnets.

Because cloud IP ranges carry high historical turnover, messages sent directly from VPS instances frequently land in spam folders or face outright rejections based on DNS blocklists (such as Spamhaus or UCEPROTECT Level 2/3), regardless of valid SPF, DKIM, and DMARC configuration.

To bypass provider restrictions on port 25 and avoid the poor deliverability associated with data center IP ranges, you should route outbound mail via port 587 (Submission) through an authenticated smarthost relay. Port 587 is designed specifically for encrypted client submission and is unrestricted across almost all providers (with the exception of DigitalOcean and initially Scaleway).

A standard configuration snippet in your Postfix /etc/postfix/main.cf file for routing mail through an authenticated smarthost relay looks like this:

relayhost = [smtp.provider.com]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_security_level = encrypt

Or send reliably via Dispatch. If you want to avoid support request tickets, KYC verification hurdles, blocklist monitoring, and smarthost management, you can route your outbound mail quickly and securely via Dispatch.

Verifying your configuration

Once your external smarthost or relay workflow is active, verify your email authentication headers (SPF, DKIM, DMARC) and overall domain deliverability using the free MXAudit scanner.