What to Use, When to Use It, and Why It Breaks at 2AM
Email delivery looks simple from the outside. A button says βSendβ. A message flies away. Magic. β¨
Behind that button lives SMTP. A protocol older than most frontend frameworks and still more reliable than half of them.
Letβs dissect it properly. Clean. Practical. No fluff.
π‘ What Is SMTP?
SMTP stands for Simple Mail Transfer Protocol.
It is the protocol used to send emails between servers and from applications to mail servers.
It does not handle inbox reading. Thatβs IMAP or POP3.
SMTP is the delivery truck. π
𧩠Core SMTP Configuration Fields
When configuring SMTP in Node.js, NestJS, or any backend, you usually see:
{
host: "",
port: 000,
secure: false,
auth: {
user: "",
pass: ""
}
}
Letβs decode each part.
1οΈβ£ host
The SMTP server address.
Examples:
-smtp.gmail.com
-smtp.sendgrid.net
-mail.yourdomain.com
This is where your app connects to send mail.
2οΈβ£ port
The communication channel. Different ports = different security expectations.
Hereβs the real breakdown π
Port Usage Secure Value
465 SSL/TLS (immediate encryption) true
587 STARTTLS (recommended) false
2525 Alternative to 587 false
25 Server to server (often blocked) false
π Port 465
port: 465,
secure: true
Encryption starts immediately.
Use when:
Provider explicitly supports SSL on 465
Corporate mail setups
Traditional configurations
π€ Port 587 (Recommended)
port: 587,
secure: false
Connection starts normal, then upgrades to TLS.
Use when:
Sending transactional emails
Production apps
Gmail, SendGrid, Mailgun setups
This is the industry standard.
π Port 2525
port: 2525,
secure: false
Used when:
587 is blocked by firewall
Cloud providers restrict port 25
Hosting environments limit SMTP traffic
Think of it as the reliable backup lane.
β οΈ Port 25
Old-school SMTP. Mostly used for server-to-server communication.
Avoid for application-level sending unless specifically required.
π secure: true vs secure: false
This setting controls how encryption is initiated.
secure: true
SSL from first byte
Used with port 465
secure: false
Uses STARTTLS
Encryption begins after connection
Used with 587 or 2525
Common mistake:
port: 587,
secure: true β
That causes handshake failure.
π auth
Authentication credentials.
auth: {
user: process.env.SMTP_USER,
pass: process.env.SMTP_PASS
}
Best practices:
Never hardcode credentials
Use environment variables
Prefer app passwords for Gmail
Use API-based mail providers in production
π Where to Use SMTP?
1οΈβ£ Small Apps / MVPs
Use:
Gmail SMTP
Port 587
secure: false
Good for:
Internal tools
Testing
Early-stage projects
2οΈβ£ Production SaaS / Enterprise Apps
Use:
SendGrid
Mailgun
Amazon SES
Dedicated SMTP relay
Why?
Better deliverability
SPF, DKIM, DMARC support
Rate limiting protection
Analytics & bounce handling
3οΈβ£ High-Scale Notification Systems
If youβre building something like:
OTP systems
Approval workflows
Finance notifications
Campaign systems
You should:
Separate email service layer
Use queues (BullMQ / RabbitMQ / NATS)
Implement retry logic
Track bounce & failure states
SMTP alone is transport. Reliability comes from architecture.
π§ Production Best Practices
β Always Enable TLS
Even if secure: false, STARTTLS should be enabled.
β Configure SPF, DKIM, DMARC
Without these, emails land in spam.
β Use a Dedicated Domain
Donβt send from personal Gmail in production.
β Handle Failures Gracefully
SMTP servers can throttle or reject.
β Use Connection Pooling
In high-volume systems.
Example:
{
pool: true,
maxConnections: 5,
maxMessages: 100
}
𧨠Why SMTP Config Fails
Most common reasons:
Port and secure mismatch
Firewall blocking outbound SMTP
Wrong credentials
TLS version mismatch
Provider rate limits
Debug tip: Always enable logging during setup.
π Example: Clean Production Configuration
{
host: process.env.SMTP_HOST,
port: 587,
secure: false,
auth: {
user: process.env.SMTP_USER,
pass: process.env.SMTP_PASS
},
tls: {
rejectUnauthorized: true
}
}
Simple. Predictable. Stable.
π Final Mental Model
SMTP is not email marketing.
SMTP is not analytics.
SMTP is not inbox management.
SMTP is transport.
Think of it like TCP for email.
Reliable when configured properly. Brutal when misconfigured. π‘
If you want, I can also write:
π A version comparing SMTP vs Email APIs
π A NestJS-specific SMTP implementation guide
π A deep dive into SPF/DKIM/DMARC
Choose your weapon.
Top comments (0)