How do I troubleshoot email server issues on my EC2 Windows instance?

Short description

The following are several common reasons why you might have problems sending email from your instance over SMTP:

• SMTP traffic is blocked by your security groups or network access control lists (network ACL) on default ports 25, 587, or 465.
  Note: By default, outbound traffic is blocked on port 25 (SMTP) for all EC2 instances and AWS Lambda functions. To send outbound traffic on port 25, request the removal of this restriction. For more information, see How do I remove the restriction on port 25 from my Amazon EC2 instance or AWS Lambda function?
• The public IP address that was automatically assigned to the instance changed after a reboot.
• Your outbound messages are flagged as spam.
• Emails aren't delivered to a specific domain.
• Outbound emails are delayed.
• You can't send emails even though you can receive them.

Resolution

SMTP traffic is blocked by your security groups or NACLs on default ports 25, 587, or 465

1. To verify that traffic is blocked, check for connectivity at the SMTP port using Test-NetConnection or telnet utility.
2. If traffic is blocked at the SMTP port, make sure that the following configurations are correct:
   The security group outbound (egress) rules must allow traffic to the SMTP server on TCP port 25, 587, or 465.
   The network ACL outbound (egress) rules must allow traffic to the SMTP server on TCP port 25, 587, or 465.
   The network ACL inbound (ingress) rules must allow traffic from the SMTP server on TCP ports 1024-65535.
   The firewall and antivirus application on your Windows instance must allow traffic to the SMTP server on TCP port 25, 587, or 465.
   The EC2 instance must have internet connectivity.

The public IP address that was automatically assigned to the instance changed after a reboot

Public IP addresses change after every reboot or instance stop and start. To avoid this, make sure that the instance used as the mail server has an Elastic IP address assigned to it.

Your outbound messages are flagged as spam

Your outbound messages might be flagged as spam if you're missing DKIM authentication, SPF records, or a reverse DNS record set. It's a best practice to set up these records to help prevent outbound emails from being flagged as spam. For more information on reverse DNS records, see the following:

Configurable reverse DNS for Amazon EC2's Elastic IP addresses

How do I enable reverse DNS functionality for Amazon Route 53 with a PTR record?

How do I troubleshoot issues with the PTR record that I'm using for reverse DNS in Route 53?

Emails aren't delivered to a specific domain

If you can't send emails to a specific domain, then follow these steps:

• Check whether the recipient domain is blocking your IP address.
• Make sure that your emails aren't too large for the destination to accept. Even if you don't have a size restriction on sent mail, the recipient might have limits on incoming mail size. The standard email size setting is 22 MB.

Outbound emails are delayed

If your emails are delayed, then follow these steps:

1. Check whether the delayed emails are going to one specific address or domain.
2. Check your email server configuration to make sure that nothing has changed.
3. Check whether the email queue is slow on your server, or if emails leave your server on time but are slow to arrive at the destination.
   If emails are stacking in the queue on your server, make sure that there aren't performance issues on your SMTP server.
   If the problem is at the destination, make sure that your emails aren't too large for the destination to accept. Even if you don't have a size restriction on sent mail, the recipient might have limits on incoming mail size. The standard email size setting is 22 MB.
4. Analyze the message header using an email header analyzer tool to look for diagnostic information.

You can't send emails even though you can receive them

This issue occurs when the authentication required by the outgoing (SMTP) server isn't configured.