SMTP Connectivity Troubleshooting – SendGrid

Issue

You can’t connect to an SMTP server (or email sending fails) when using SMTP, and you may see symptoms like timeouts, connection refused, missing STARTTLS, or TLS handshake errors such as Didn't find STARTTLS in server response, handshake failure, or wrong version number.

This article helps you verify DNS resolution, port connectivity, and TLS negotiation from macOS or Windows, and provides copy/paste diagnostics bundles you can send to Support.

Product

SMTP (Email Delivery)

Cause

Common causes include:

Ports blocked by a firewall/ISP/corporate network (especially port 25, sometimes 587)
VPN/corporate DNS rewriting (your computer resolves the SMTP hostname to an internal/private IP instead of the public service)
Network proxies or security tools interfering with STARTTLS (STARTTLS capability stripped or TLS handshake interrupted)
Wrong protocol for the port (for example, using STARTTLS against port 465, which expects implicit TLS)

Resolution

Supported ports (reference)

TLS via STARTTLS (recommended): 587
TLS via STARTTLS (or unencrypted; network-dependent): 25, 2525
SSL/TLS (implicit TLS): 465

Notes: Many ISPs/corporate networks block 25. If 587 is blocked, 2525 is a common fallback. If STARTTLS is being interfered with, 465 (implicit TLS) often works.

macOS: Verify SMTP connectivity

0) Set your SMTP host

Replace with your SMTP hostname:

SMTP_HOST="smtp.sendgrid.net"

1) DNS checks (detect split DNS / DNS rewriting)

1.1 What macOS resolves (system resolver)

dscacheutil -q host -a name "$SMTP_HOST"

1.2 Compare with public DNS (bypasses VPN/corp DNS rewriting)

dig @1.1.1.1 +short "$SMTP_HOST"
dig @8.8.8.8 +short "$SMTP_HOST"

What to look for

If dscacheutil returns an IP in 10.x, 192.168.x, 172.16–31.x, or 100.64.x but public DNS returns public IPs, the network/VPN is likely intercepting or rewriting DNS.

2) Port reachability test (which ports are open)

for p in 587 25 2525 465; do
  echo "== Testing port $p =="; nc -vz -w 3 "$SMTP_HOST" "$p"
done

Interpretation

succeeded! = TCP connection is possible
timed out = blocked by firewall/network route
refused = host reachable, but port closed (or filtered)

3) Confirm SMTP banner + STARTTLS advertisement (587 / 25 / 2525)

3.1 Banner test (should return a line starting with 220)

nc -v -w 5 "$SMTP_HOST" 587

3.2 EHLO capability check (look for 250-STARTTLS)

587

printf 'EHLO test.local\r\nQUIT\r\n' | nc -v -w 5 "$SMTP_HOST" 587

printf 'EHLO test.local\r\nQUIT\r\n' | nc -v -w 5 "$SMTP_HOST" 25

2525

printf 'EHLO test.local\r\nQUIT\r\n' | nc -v -w 5 "$SMTP_HOST" 2525

Interpretation

If the EHLO response includes STARTTLS, that port supports upgrading to TLS with STARTTLS.
If STARTTLS is missing, then STARTTLS will not work on that endpoint/port (or a proxy/interceptor is stripping capabilities).

4) Verify TLS negotiation (cert/handshake)

4.1 STARTTLS on 587 (recommended)

openssl s_client -starttls smtp \
  -connect "$SMTP_HOST:587" \
  -servername "$SMTP_HOST" \
  -crlf -showcerts

4.2 STARTTLS on 25 and 2525 (only if STARTTLS is advertised)

openssl s_client -starttls smtp -connect "$SMTP_HOST:25"   -servername "$SMTP_HOST" -crlf -showcerts
openssl s_client -starttls smtp -connect "$SMTP_HOST:2525" -servername "$SMTP_HOST" -crlf -showcerts

4.3 Implicit TLS (SSL) on 465

openssl s_client -connect "$SMTP_HOST:465" -servername "$SMTP_HOST" -crlf -showcerts

Interpretation

Successful TLS often ends with: Verify return code: 0 (ok) (may vary).
Errors like handshake failure or wrong version number can indicate interception, wrong port/protocol (for example, trying STARTTLS on 465), or TLS inspection.

macOS: “Send this to Support” diagnostic bundle

Run this and attach the output file:

SMTP_HOST="smtp.sendgrid.net"
OUT="smtp_diagnostics_$(date +%Y%m%d_%H%M%S).txt"

{
  echo "### Timestamp"; date; echo
  echo "### Host"; echo "$SMTP_HOST"; echo
  echo "### macOS version"; sw_vers; echo

  echo "### DNS (system resolver: dscacheutil)"
  dscacheutil -q host -a name "$SMTP_HOST" || true
  echo

  echo "### DNS (default dig)"
  dig +short "$SMTP_HOST" || true
  echo

  echo "### DNS (public resolvers)"
  echo "-- 1.1.1.1 --"; dig @1.1.1.1 +short "$SMTP_HOST" || true
  echo "-- 8.8.8.8 --"; dig @8.8.8.8 +short "$SMTP_HOST" || true
  echo

  echo "### Port reachability (nc)"
  for p in 587 25 2525 465; do
    echo "-- port $p --"
    nc -vz -w 3 "$SMTP_HOST" "$p" 2&1 || true
  done
  echo

  echo "### EHLO capability checks (look for STARTTLS)"
  for p in 587 25 2525; do
    echo "-- EHLO on port $p --"
    printf 'EHLO test.local\r\nQUIT\r\n' | nc -v -w 5 "$SMTP_HOST" "$p" 2&1 || true
    echo
  done

  echo "### TLS handshake tests (openssl)"
  echo "-- STARTTLS 587 --"
  openssl s_client -starttls smtp -connect "$SMTP_HOST:587" -servername "$SMTP_HOST" -crlf 2&1 </dev/null || true
  echo

  echo "-- STARTTLS 2525 --"
  openssl s_client -starttls smtp -connect "$SMTP_HOST:2525" -servername "$SMTP_HOST" -crlf 2&1 </dev/null || true
  echo

  echo "-- TLS 465 --"
  openssl s_client -connect "$SMTP_HOST:465" -servername "$SMTP_HOST" -crlf 2&1 </dev/null || true
  echo

} | tee "$OUT"

echo "Saved diagnostics to: $OUT"

Also include in the support ticket (text, not screenshots)

Whether you are on a VPN or corporate network
Your approximate location/ISP (helps identify regional blocking)
Which ports worked vs timed out/refused
Timestamp (already included in the file)

Do NOT include

SMTP username/password
API keys
Any email contents

Windows 10/11: Verify SMTP connectivity (PowerShell)

0) Set your SMTP host

Open PowerShell (not CMD):

$SMTP_HOST = "smtp.sendgrid.net"

1) DNS resolution (system vs public)

System resolver

Resolve-DnsName $SMTP_HOST

Public DNS comparison (bypasses VPN/corp DNS rewriting)

nslookup $SMTP_HOST 1.1.1.1
nslookup $SMTP_HOST 8.8.8.8

Show configured DNS servers

Get-DnsClientServerAddress -AddressFamily IPv4

What to look for

If the system resolver returns private/CGNAT ranges (10.x, 192.168.x, 172.16-31.x, 100.64.x) but public DNS returns public IPs, your network/VPN may be rewriting DNS or proxying SMTP.

2) Port reachability (which ports work)

587,25,2525,465 | ForEach-Object {
  Test-NetConnection -ComputerName $SMTP_HOST -Port $_ |
    Select-Object ComputerName,RemoteAddress,RemotePort,TcpTestSucceeded
}

3) Read SMTP banner + confirm STARTTLS is advertised (587/25/2525)

Paste this function into PowerShell:

function Test-SmtpEhlo {
  param([Parameter(Mandatory=$true)][string]$Host,
        [Parameter(Mandatory=$true)][int]$Port)

  $client = New-Object System.Net.Sockets.TcpClient
  $client.ReceiveTimeout = 8000
  $client.SendTimeout    = 8000
  $client.Connect($Host, $Port)

  $stream = $client.GetStream()
  $reader = New-Object System.IO.StreamReader($stream, [System.Text.Encoding]::ASCII)
  $writer = New-Object System.IO.StreamWriter($stream, [System.Text.Encoding]::ASCII)
  $writer.NewLine = "`r`n"
  $writer.AutoFlush = $true

  "BANNER: " + $reader.ReadLine()

  $writer.WriteLine("EHLO test.local")

  $lines = @()
  $line = $reader.ReadLine()
  $lines += $line
  while ($line -match '^250-') {
    $line = $reader.ReadLine()
    $lines += $line
  }

  "EHLO RESPONSE:"
  $lines | ForEach-Object { "  $_" }

  if ($lines -match 'STARTTLS') { "STARTTLS: ADVERTISED" } else { "STARTTLS: NOT ADVERTISED" }

  $writer.WriteLine("QUIT")
  $client.Close()
}

Run it:

Test-SmtpEhlo -Host $SMTP_HOST -Port 587
Test-SmtpEhlo -Host $SMTP_HOST -Port 25
Test-SmtpEhlo -Host $SMTP_HOST -Port 2525

4) TLS handshake verification

Option A: OpenSSL (if installed)

STARTTLS (587 / 25 / 2525):

openssl s_client -starttls smtp -connect "$SMTP_HOST:587"  -servername $SMTP_HOST -crlf -showcerts
openssl s_client -starttls smtp -connect "$SMTP_HOST:2525" -servername $SMTP_HOST -crlf -showcerts
openssl s_client -starttls smtp -connect "$SMTP_HOST:25"   -servername $SMTP_HOST -crlf -showcerts

Implicit TLS (465):

openssl s_client -connect "$SMTP_HOST:465" -servername $SMTP_HOST -crlf -showcerts

Option B: Built-in curl (useful for TLS visibility; send may fail due to auth)

"Subject: tls-test`r`n`r`nTest" | curl -v --url "smtp://$SMTP_HOST:587"  --ssl-reqd --mail-from "<test@example.com>" --mail-rcpt "<test@example.com>" --upload-file -
"Subject: tls-test`r`n`r`nTest" | curl -v --url "smtps://$SMTP_HOST:465" --mail-from "<test@example.com>" --mail-rcpt "<test@example.com>" --upload-file -

Windows: “Send this to Support” diagnostic bundle

This creates a single diagnostic file on your Desktop:

$SMTP_HOST = "smtp.sendgrid.net"
$TS = Get-Date -Format "yyyyMMdd_HHmmss"
$OUT = "$env:USERPROFILE\Desktop\smtp_diagnostics_$TS.txt"

Start-Transcript -Path $OUT | Out-Null

"### Timestamp"; Get-Date; ""
"### Host"; $SMTP_HOST; ""

"### Windows version"
cmd /c ver
""

"### Adapter DNS servers"
Get-DnsClientServerAddress -AddressFamily IPv4 | Format-List
""

"### DNS resolution (system)"
try { Resolve-DnsName $SMTP_HOST | Format-List } catch { $_.Exception.Message }
""

"### DNS resolution (public resolvers)"
"--- 1.1.1.1 ---"
nslookup $SMTP_HOST 1.1.1.1
"--- 8.8.8.8 ---"
nslookup $SMTP_HOST 8.8.8.8
""

"### Port reachability (Test-NetConnection)"
foreach ($p in 587,25,2525,465) {
  "== Port $p =="
  Test-NetConnection -ComputerName $SMTP_HOST -Port $p |
    Select-Object ComputerName,RemoteAddress,RemotePort,TcpTestSucceeded | Format-List
}
""

"### EHLO capability checks (look for STARTTLS)"
function Test-SmtpEhlo {
  param([string]$Host,[int]$Port)
  $client = New-Object System.Net.Sockets.TcpClient
  $client.ReceiveTimeout = 8000
  $client.SendTimeout    = 8000
  $client.Connect($Host, $Port)

  $stream = $client.GetStream()
  $reader = New-Object System.IO.StreamReader($stream, [System.Text.Encoding]::ASCII)
  $writer = New-Object System.IO.StreamWriter($stream, [System.Text.Encoding]::ASCII)
  $writer.NewLine = "`r`n"
  $writer.AutoFlush = $true

  "BANNER: " + $reader.ReadLine()
  $writer.WriteLine("EHLO test.local")

  $lines = @()
  $line = $reader.ReadLine()
  $lines += $line
  while ($line -match '^250-') {
    $line = $reader.ReadLine()
    $lines += $line
  }

  "EHLO RESPONSE:"
  $lines | ForEach-Object { "  $_" }

  if ($lines -match 'STARTTLS') { "STARTTLS: ADVERTISED" } else { "STARTTLS: NOT ADVERTISED" }

  $writer.WriteLine("QUIT")
  $client.Close()
}

foreach ($p in 587,25,2525) {
  ""
  "== EHLO on port $p =="
  try { Test-SmtpEhlo -Host $SMTP_HOST -Port $p } catch { $_.Exception.Message }
}

""
"### Optional: OpenSSL tests (if OpenSSL is installed)"
$openssl = Get-Command openssl -ErrorAction SilentlyContinue
if ($openssl) {
  "OpenSSL found at: $($openssl.Path)"
  ""
  cmd /c "openssl s_client -starttls smtp -connect $SMTP_HOST:587 -servername $SMTP_HOST -crlf < NUL"
  ""
  cmd /c "openssl s_client -starttls smtp -connect $SMTP_HOST:2525 -servername $SMTP_HOST -crlf < NUL"
  ""
  cmd /c "openssl s_client -connect $SMTP_HOST:465 -servername $SMTP_HOST -crlf < NUL"
} else {
  "OpenSSL not found in PATH."
}

Stop-Transcript | Out-Null
"Saved diagnostics to: $OUT"

Also include in the support ticket (text, not screenshots)

Whether you are on a VPN or corporate network
Your approximate location/ISP (helps identify regional blocking)
Which ports worked vs timed out/refused
Timestamp (already included in the file)

Do NOT include

SMTP username/password
API keys
Any email contents

How to interpret your results (macOS + Windows)

Please don’t include passwords, API keys, or email content in any screenshots/logs you send us.

What you see	What it means	What to try next
Your computer resolves the SMTP hostname to a private/internal IP (examples: `10.x`, `192.168.x`, `172.16–31.x`, `100.64.x`) but public DNS (`1.1.1.1` / `8.8.8.8`) resolves to different public IPs	Your network (often VPN/corporate Wi‑Fi) is rewriting DNS or routing SMTP through an internal relay/proxy	Disconnect VPN and retry, or try a different network. If you must stay on the corporate network, ask your network team to allow direct SMTP access or provide the approved relay settings
Port `587` fails (timeout / not reachable) but `2525` works	Your network blocks `587`	Use `2525` with STARTTLS
Port `25` fails but `587`/`2525` work	Port `25` is commonly blocked by ISPs/corporate networks	Use `587` (recommended) or `2525`
All ports fail (`25`/`465`/`587`/`2525` all time out / not reachable)	Outbound SMTP is blocked from your network, or there’s a routing/firewall issue	Try another network. If it works elsewhere, ask your network admin/ISP to allow outbound TCP to the supported ports
You can connect to a port, but you don’t get an SMTP banner (no line starting with `220`) or it disconnects immediately	You may not be reaching an SMTP server (DNS issue), or a firewall/proxy is interrupting the connection	Re-check DNS results, try again off VPN, and try another supported port (`2525` or `465`)
EHLO output does not include `STARTTLS` on `587`/`25`/`2525`	STARTTLS isn’t available on that connection path, or something is stripping capabilities	Try `465` (implicit TLS), or switch networks / disable VPN and retest
TLS handshake errors like `handshake failure` or `wrong version number`	Wrong TLS method for the port, or network interference	Ensure: STARTTLS on `587`/`25`/`2525`, and implicit TLS on `465`. If correct and it still fails, try another network/disable VPN

Additional Information

Do not send secrets: SMTP usernames/passwords, API keys, or email content.
If you see authentication errors (for example 530 or 535) after connectivity/TLS succeeds, the network path is working and the issue is usually credentials or configuration (port/security mode/auth method).