Share via

Request to remove outbound SMTP port 25 restriction

Boskora LLC 0 Reputation points
2026-03-11T11:01:34.9333333+00:00

Hello,

I am running a virtual machine in Microsoft Azure for my business Boskora LLC.

Outbound SMTP port 25 appears to be blocked on my VM. I need to send legitimate transactional and business emails from my application to users who have opted in.

I will configure proper email authentication including SPF, DKIM, DMARC, and reverse DNS to ensure compliance with email best practices.

Could someone please advise on how to request removal of the outbound SMTP port 25 restriction for my subscription or VM?

Thank you.

Azure Virtual Machines
Azure Virtual Machines

An Azure service that is used to provision Windows and Linux virtual machines.

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Serhii-Roman Kikot 85 Reputation points
    2026-03-11T11:48:36.8533333+00:00

    Hello Boskora LLC,

    Thank you for reaching out to Microsoft Q&A!

    Outbound port 25 is blocked by default on most Azure subscription types (such as Pay-As-You-Go, Free Trial, and CSP). This block is strictly enforced to prevent spamming, protect the IP reputation of the Azure platform, and ensure better security for our customers and partners.

    While Enterprise Agreement (EA) and Microsoft Customer Agreement for Enterprise (MCA-E) subscriptions generally have this port open by default (or are eligible for an unblock), standard subscriptions cannot have the port 25 restriction removed

    To send legitimate business and transactional emails from your current subscription without upgrading to an EA/MCA-E, you must use an authenticated SMTP relay service over TCP port 587. Since you plan to configure email authentication (SPF, DKIM, DMARC), Azure Communication Services is an option for you.

    I suggest you to follow official instructions in order to setup SMTP Relay: Microsoft Learn Guide or Tech Community Guide

    Here is a short summary of how to set this up:

    1. Create an Azure Communication Service Resource. Microsoft Learn Guide
    2. Create an Email Communication Service. You must have Azure Communication Service resource in order to create Email Communication Service. Microsoft Learn Guide
    3. Once created, you add your email domain and you will be able to configure SPF and DKIM.
    4. Link domain to your Azure Communication Service
    5. Register a custom RBAC Role for SMTP authentication and assign this role to your Microsoft Entra Application. Microsoft Learn Guide
    6. Once created, you can assign role to your Entra Application. Microsoft Learn Guide

    You can view your email address in Email Communication Service -> Email Services -> MailFrom address By default you will have DoNotReply@.... email.

    If you need more clear instructions, please let me know.

    If you have any queries, please do let us know, we will help you.

    If the information is helpful, please click on "Accept Answer" and "Upvote"

    0 comments
  2. Vallepu Venkateswarlu 6,045 Reputation points Microsoft External Staff Moderator
    2026-03-11T11:32:07.6966667+00:00

    Hi @ Boskora LLC,

    Welcome to Microsoft Q&A Platform.

    Azure does not allow outbound SMTP traffic on port 25 from most Azure services, and this restriction applies across many subscription types to protect the global IP reputation of Azure resources.

    Reference: Azure Communication Services and authenticated SMTP relay service.

    The recommended way to send email from Azure VMs or Azure App Service is to use an authenticated SMTP relay service, which operates on TCP port 587.

    Refer the link: https://learn.microsoft.com/en-us/answers/questions/5625166/how-can-i-request-azure-to-unblock-outbound-smtp-p Which I already answered earlier for the same issue.

    The Azure platform blocks outbound SMTP connections on TCP port 25 for deployed VMs. This block is to ensure better security for Microsoft partners and customers, protect Microsoft's Azure platform, and conform to industry standards.

    If you're using a subscription type that isn't an Enterprise Agreement or MCA-E, we encourage you to use an authenticated SMTP relay service, as outlined earlier in this article.

    Ref: All other subscription types

    Please210246-screenshot-2021-12-10-121802.pngand “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments
  3. Marcin Policht 82,360 Reputation points MVP Volunteer Moderator
    2026-03-11T11:10:37.7233333+00:00

    Refer to https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-network/troubleshoot-outbound-smtp-connectivity

    We recommend you use authenticated SMTP relay services to send email from Azure VMs or from Azure App Service. Connections to authenticated SMTP relay services are typically on TCP port 587 and isn't blocked. These services are used in part to maintain IP reputation that is critical for delivery reliability. Azure Communication Services offers an authenticated SMTP relay service. Ensure that the default rate limits are appropriate for your application and open a support case to raise them if needed.

    Using these email delivery services on authenticated SMTP port 587 isn't restricted in Azure, regardless of the subscription type.

    Enterprise and MCA-E

    For VMs and Azure Firewall that are deployed in standard Enterprise Agreement or Microsoft Customer Agreement for enterprise (MCA-E) subscriptions, the outbound SMTP connections on TCP port 25 aren't blocked. However, there's no guarantee that external domains accept the incoming emails from the VMs and Azure Firewall. For emails rejected or filtered by the external domains, contact the email service providers of the external domains to resolve the problems. These problems aren't covered by Azure support.

    For Enterprise Dev/Test subscriptions, port 25 is blocked by default. It's possible to have this block removed. To request to have the block removed, go to the Cannot send email (SMTP-Port 25) section of the Diagnose and Solve section in the Azure Virtual Network resource in the Azure portal and run the diagnostic. This process exempts the qualified enterprise dev/test subscriptions automatically.

    After the subscription is exempted from this block, the VMs must be stopped, deallocated, and then restarted to get the new network policy, all VMs in that subscription are exempted going forward. If the virtual network owned by the exempted subscription has a delegated subnet (to an App Service Environment for example), you must add and remove a new temporary subnet in the Virtual Network. The exemption applies only to the subscription requested and only to VM traffic that is routed directly to the internet.

    All other subscription types

    The Azure platform blocks outbound SMTP connections on TCP port 25 for deployed VMs. This block is to ensure better security for Microsoft partners and customers, protect Microsoft's Azure platform, and conform to industry standards.

    If you're using a subscription type that isn't an Enterprise Agreement or MCA-E, we encourage you to use an authenticated SMTP relay service, as outlined earlier in this article.

    Need help? Contact support

    If you're using an Enterprise Agreement or MCA-E subscription and still need help, contact support to get your problem resolved quickly. Use this issue type: Technical > Virtual Network > Cannot send email (SMTP/Port 25).

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.