tl;dr - Your program should support 465 and optionally 587 – implicit TLS via submissions over port 465 is where we’re moving to, according to RFC 8314 from 2018. UPDATE (2022/12/05) Thanks to some feedback from very helpful folks on r/sysadmin, it's clear that STARTTLS is even worse than I thought! After experiencing a bit of pain making my somewhat complicated email setup work properly with SNI-based forwarding, I realized that up until now I’ve also believed that STARTTLS on 587 was ...