A passing SMTP test is one of the most misleading results in email debugging. It tells you the server answered. It tells you nothing about whether your email reached the inbox, passed authentication, or avoided spam filters – the three things that actually matter. Most teams stop at the connection test. That is exactly where the real failures begin.<\/p>\n\n\n\n
This guide covers every SMTP testing method worth using, when to use each one, what correct output looks like, and what to do when the results are wrong. If you are looking for the complete step-by-step testing walkthrough, the full SMTP server diagnostic guide<\/a> covers the entire process from credential verification to delivery log analysis.<\/p>\n\n\n\n Direct Answer: Why does SMTP testing pass but email delivery still fail?<\/strong><\/p>\n\n\n\n Because SMTP testing and email delivery are two separate events. An SMTP server returning Most SMTP testing tutorials tell you to run Telnet, check for a Here is the honest problem: a successful Telnet test eliminates exactly one failure category<\/strong> \u2014 network-level connectivity. It does nothing for authentication, DNS alignment, IP reputation, content scoring, or inbox placement. If your emails are failing, there is roughly an 80 percent chance the issue is not network connectivity. It is something downstream that a connection test cannot see.<\/p>\n\n\n\n The second piece of misleading advice is testing from the wrong machine. You run Telnet from your MacBook, it connects, and you conclude the server is reachable. Meanwhile your production EC2 instance is sitting behind a security group that blocks all outbound SMTP traffic. The test was technically accurate. The conclusion was completely wrong.<\/p>\n\n\n\n The correct mental model:<\/strong> SMTP testing is a layered diagnostic process. Each layer answers a different question. Skipping layers does not save time \u2014 it just moves the failure to a place you cannot see it.<\/p>\n\n\n\n The most common SMTP testing mistake is testing connectivity from the wrong environment. A Telnet test from your local laptop tells you the server is reachable from your IP. It tells you nothing about whether the server is reachable from your production environment, your cloud instance, or your shared hosting server \u2014 which may be behind a firewall blocking port 587 entirely.<\/p>\n\n\n\n The second most common mistake is treating a 250 OK response as confirmation that email will be delivered. SMTP acceptance and inbox delivery are two separate events. A server can accept a message and then reject it internally, deliver it to spam, or have it blocked by a downstream provider \u2014 none of which surfaces as an error in your application.<\/p>\n\n\n\n Common Mistake Summary: Where SMTP Debugging Goes Wrong<\/strong><\/p>\n\n\n\n Effective SMTP testing is layered. Each method answers a different question. Using only one method means leaving entire failure categories invisible.<\/p>\n\n\n\n What it is:<\/strong> A raw TCP connection to your SMTP server that lets you manually execute SMTP protocol commands and see exact server responses at each step.<\/p>\n\n\n\n When to use it:<\/strong> First test when you suspect a connectivity or port-blocking issue. Also useful for isolating whether a failure is at the network layer or the application layer.<\/p>\n\n\n\n For unencrypted or STARTTLS connections (port 587 or 25):<\/strong><\/p>\n\n\n\n For SSL connections (port 465):<\/strong><\/p>\n\n\n\n For STARTTLS:<\/strong><\/p>\n\n\n\n Expected output:<\/strong> A Common errors:<\/strong><\/p>\n\n\n\n \u26a1 Quick Fix: Connection Refused or Timeout on All Ports<\/strong> What it is:<\/strong> Walking through the full SMTP authentication sequence manually using base64-encoded credentials to isolate credential failures from connectivity failures.<\/p>\n\n\n\n When to use it:<\/strong> When you are getting a After a successful EHLO response via Telnet or OpenSSL, issue:<\/p>\n\n\n\n The server will return a base64-encoded prompt. Encode your username and password separately:<\/p>\n\n\n\n Paste each encoded value when prompted.<\/p>\n\n\n\n Expected output:<\/strong> Common errors:<\/strong><\/p>\n\n\n\n \u26a1 Quick Fix: AUTH LOGIN Returns 535 But Credentials Are Correct<\/strong> What it is:<\/strong> Verifying that the specific port your application is configured to use is actually open and reachable from your production environment.<\/p>\n\n\n\n When to use it:<\/strong> When Telnet works locally but your application cannot connect from the server. Many cloud providers (AWS, GCP, Azure) and shared hosting environments block outbound port 25 by default. Some block 587 as well.<\/p>\n\n\n\n From your production server:<\/p>\n\n\n\n On Windows from the production environment:<\/p>\n\n\n\n Expected output:<\/strong> Common errors:<\/strong><\/p>\n\n\n\n What it is:<\/strong> Verifying that your SPF, DKIM, and DMARC records are correctly published, syntactically valid, and properly aligned with your From address.<\/p>\n\n\n\n When to use it:<\/strong> When authentication passes at the SMTP level but emails are still landing in spam or being rejected by specific providers. DNS misconfiguration is one of the most common root causes of spam placement. The SPF, DKIM, and DMARC explained guide<\/a> covers exactly how alignment failures produce spam placement even when individual authentication checks report as passing.<\/p>\n\n\n\n Check SPF:<\/p>\n\n\n\n Check DKIM (replace Check DMARC:<\/p>\n\n\n\n Expected output:<\/strong> Valid TXT records for all three. SPF should contain your sending server’s IP or include directive. DMARC should show Common errors:<\/strong><\/p>\n\n\n\n \u26a1 Quick Fix: SPF and DKIM Both Pass But DMARC Still Fails<\/strong> What it is:<\/strong> Sending a real message through your full stack and analyzing the result \u2014 spam score, authentication headers, and inbox placement \u2014 using a dedicated testing inbox.<\/p>\n\n\n\n When to use it:<\/strong> After all lower-level tests pass. This confirms that the full pipeline \u2014 application to SMTP relay to recipient inbox \u2014 works correctly. The Gmail spam placement breakdown<\/a> explains how inbox providers score incoming messages and what specifically triggers spam routing even after authentication passes.<\/p>\n\n\n\n Send to Mail-Tester<\/a>‘s generated address, then check the score report for: SPF result, DKIM result, DMARC result, content spam score, blacklist status, and header analysis.<\/p>\n\n\n\n Expected output:<\/strong> Score of 9 or higher out of 10. SPF, DKIM, and DMARC all showing as passed and aligned.<\/p>\n\n\n\n Common errors:<\/strong><\/p>\n\n\n\n Running all five methods every time is overkill. Use this decision tree to go directly to the right test for your actual problem:<\/p>\n\n\n\n250 OK<\/code> means it accepted the message for relay \u2014 not that the message reached the recipient’s inbox. Inbox placement depends on IP reputation, DNS authentication (SPF, DKIM, DMARC), and content scoring, none of which are validated by a basic connection test.<\/p>\n\n\n\nQuick Answer: SMTP Testing Methods That Actually Work<\/h2>\n\n\n\n
\n
Why Most SMTP Testing Advice Is Misleading<\/h2>\n\n\n\n
220<\/code> response, and call it done. That advice was incomplete a decade ago. Today it is actively harmful \u2014 because it gives teams false confidence at exactly the point where they should keep digging.<\/p>\n\n\n\nWhy Most SMTP Testing Fails to Find the Real Problem<\/h2>\n\n\n\n
\n
250 OK<\/code> relay response as inbox delivery confirmation<\/li>\n\n\n\nSMTP Testing Methods: The Complete Breakdown<\/h2>\n\n\n\n
Method 1: Command-Line Testing with Telnet and OpenSSL<\/h3>\n\n\n\n
telnet smtp.yourdomain.com 587<\/code><\/pre>\n\n\n\nopenssl s_client -connect smtp.yourdomain.com:465<\/code><\/pre>\n\n\n\nopenssl s_client -starttls smtp -connect smtp.yourdomain.com:587<\/code><\/pre>\n\n\n\n220<\/code> banner response confirming the server is ready. Issue EHLO yourdomain.com<\/code> \u2014 a 250<\/code> response listing supported extensions confirms the handshake is complete.<\/p>\n\n\n\n\n
Cause:<\/strong> Your hosting provider or cloud security group is blocking outbound SMTP traffic at the network level \u2014 not an SMTP server issue at all.
Fix:<\/strong> Run nc -zv smtp.yourdomain.com 587<\/code> from your production server. If it times out, the block is environmental. Contact your provider to open port 587 outbound, or switch to an SMTP relay that accepts connections on port 2525 as a fallback.<\/p>\n\n\n\nMethod 2: Manual Authentication Testing<\/h3>\n\n\n\n
535 Authentication Failed<\/code> error and need to confirm whether the credentials themselves are wrong or whether the authentication method is misconfigured. The complete SMTP 535 authentication error guide<\/a> covers every variant of authentication failure with specific resolution paths.<\/p>\n\n\n\nAUTH LOGIN<\/code><\/pre>\n\n\n\necho -n \"username@yourdomain.com\" | base64\necho -n \"yourpassword\" | base64<\/code><\/pre>\n\n\n\n235 2.7.0 Authentication successful<\/code><\/p>\n\n\n\n\n
535 5.7.8 Authentication credentials invalid<\/code> \u2014 credentials are wrong or the account requires app-specific passwords<\/li>\n\n\n\n503 Bad sequence of commands<\/code> \u2014 STARTTLS must be issued before AUTH on port 587<\/li>\n\n\n\n504 Unrecognized authentication type<\/code> \u2014 server does not support AUTH LOGIN; try AUTH PLAIN<\/li>\n<\/ul>\n\n\n\n
Cause:<\/strong> The account has two-factor authentication enabled, requires an app-specific password, or the provider has switched to OAuth2 and no longer accepts password-based AUTH LOGIN.
Fix:<\/strong> Generate an app-specific password in Gmail or Outlook security settings. If the server advertises AUTH XOAUTH2 in its EHLO response but not AUTH LOGIN, password-based authentication is disabled at the provider level \u2014 not a configuration error you can fix on your end.<\/p>\n\n\n\nMethod 3: Port and Connectivity Scanning<\/h3>\n\n\n\n
nc -zv smtp.yourdomain.com 587\n# or\ncurl -v telnet:\/\/smtp.yourdomain.com:587<\/code><\/pre>\n\n\n\nTest-NetConnection -ComputerName smtp.yourdomain.com -Port 587<\/code><\/pre>\n\n\n\nConnection to smtp.yourdomain.com 587 port [tcp\/*] succeeded<\/code><\/p>\n\n\n\n\n
nslookup smtp.yourdomain.com<\/code>.<\/li>\n<\/ul>\n\n\n\nMethod 4: DNS Record Validation<\/h3>\n\n\n\n
dig TXT yourdomain.com | grep spf<\/code><\/pre>\n\n\n\nselector<\/code> with your actual selector key):<\/p>\n\n\n\ndig TXT selector._domainkey.yourdomain.com<\/code><\/pre>\n\n\n\ndig TXT _dmarc.yourdomain.com<\/code><\/pre>\n\n\n\np=quarantine<\/code> or p=reject<\/code> for production domains.<\/p>\n\n\n\n\n
Cause:<\/strong> DMARC alignment failure \u2014 the domain authenticated by SPF or DKIM does not match the domain in the From header the recipient sees. Each check passing in isolation is not enough; the domains must align.
Fix:<\/strong> In your DMARC record, confirm whether you are using strict (aspf=s<\/code>) or relaxed (aspf=r<\/code>) alignment. Check that the envelope-from domain (SPF) and the DKIM signing domain (d=<\/code> tag) both match or subdomain-match your From address. If using a third-party sender, they must sign with your domain, not theirs.<\/p>\n\n\n\nMethod 5: End-to-End Delivery Testing<\/h3>\n\n\n\n
\n
Which Testing Method to Use: Decision Framework<\/h2>\n\n\n\n