Last updated: July 2026

In short: Scaleway blocks remote outbound SMTP traffic across ports 25, 465, and 587 on all cloud Instances by default to prevent spam. Unblocking these ports can be completed in self-service via Security Group settings, but requires completing mandatory identity verification (KYC) first.

When deploying a web application or self-hosted email infrastructure on a Scaleway Instance, standard outbound mail transmission fails out of the box. Unlike many cloud providers that restrict only direct server-to-server delivery over port 25, Scaleway applies a comprehensive network restriction covering all standard mail transmission ports.

Default restriction across all remote SMTP ports

The network filter operates upstream from your virtual machine and intercepts all outbound connections targeted at remote mail systems across standard protocols. According to Scaleway’s official documentation: By default, remote SMTP ports (25, 465, and 587) are blocked and cannot be accessed from our infrastructure to prevent spam. To send emails from your Instance, you need to open these ports in the security group configuration.

This means attempting to connect to an external smarthost relay over port 587 or 465 will time out initially until the ports are explicitly enabled within your Instance’s assigned Security Group.

Prerequisite for unblocking: KYC verification

Before the Scaleway console allows you to open outbound SMTP ports within your Security Group rules, you must prove your identity. Scaleway enforces this preliminary requirement: Completed the identity verification process (KYC)

Until you have submitted and verified your official identification documents (Know Your Customer) through the Scaleway portal, the Security Group setting to open SMTP ports remains disabled.

Self-service unblocking in Security Groups

Once your identity verification process is approved, you can unblock outbound mail traffic directly without waiting for a support ticket review. To do this, follow the official procedure: Select the security group for which you want to enable SMTP ports.

By checking the enable option within the corresponding Security Group and applying the updated policy to your running Instances, outbound traffic across remote ports 25, 465, and 587 is permitted immediately at the network boundary.

IP reputation reality check

Even after verifying your KYC status and opening the SMTP ports within your Security Group, delivering mail directly from a Scaleway Instance (via port 25) carries ongoing deliverability challenges. Because Scaleway public IP pools are dynamically recycled across thousands of developers, data center subnets carry significant pre-existing reputation issues.

Frequently, Scaleway IP ranges are listed on strict blocklists (DNSBLs) such as UCEPROTECT (Level 2 or 3) and Spamhaus. Major inbox providers (including Gmail, Outlook, and Yahoo) aggressively scrutinize direct mail originating from cloud subnets, often sending messages directly to spam folders or rejecting them despite valid SPF and DKIM records.

Once you unlock SMTP ports in your Security Group after completing KYC verification, you should avoid sending direct mail over port 25. Instead, route your outbound mail through an authenticated smarthost relay over port 587 (Submission) to ensure high deliverability and clean IP reputation.

A standard Postfix configuration (/etc/postfix/main.cf) for relaying through an external smarthost over port 587 looks like this:

relayhost = [smtp.provider.com]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_security_level = encrypt

Or send reliably via Dispatch. If you want to avoid KYC identity verification delays, Security Group adjustments, blocklist troubleshooting, and smarthost maintenance, you can route your outbound mail quickly and securely via Dispatch.

Verifying your configuration

Once your Security Group ports are open and your sending workflow is configured, verify your email authentication records (SPF, DKIM, DMARC) and domain health using the free MXAudit scanner.

Further reading