Skip to content
MikroTik RouterOS Docs

Email (SMTP Notifications)

Email (SMTP Notifications)

Section titled “Email (SMTP Notifications)”

RouterOS includes a built-in SMTP email client under /tool e-mail. It supports authenticated submission with TLS/STARTTLS, making it suitable for sending alerts, status reports, and configuration backups from scripts, Netwatch rules, or the system scheduler.

Overview

Section titled “Overview”
Section titled “Sub-menu”

/tool e-mail

Key Capabilities

Section titled “Key Capabilities”
  • SMTP client with authentication (username/password)
  • TLS modes: none, implicit TLS (SMTPS), and STARTTLS
  • Send from scripts, Netwatch hooks, or the scheduler
  • File attachments (e.g. config exports, backups)
  • Per-message server override (optional)

Configuring the Email Client

Section titled “Configuring the Email Client”

Set the SMTP server details once. All subsequent send commands use these settings unless overridden per-message.

Configuration properties

Section titled “Configuration properties”
PropertyDescription
addressSMTP server hostname or IP address
portTCP port (default: 25)
fromSender address shown in the From: header
userSMTP authentication username
passwordSMTP authentication password
tlsTLS mode: no, yes (implicit/SMTPS), or starttls

Unauthenticated SMTP (relay, internal only)

Section titled “Unauthenticated SMTP (relay, internal only)”
/tool e-mail
set address=smtp.internal.example.com port=25 from[email protected]
Section titled “Authenticated submission with STARTTLS (recommended)”
/tool e-mail
set address=smtp.example.com port=587 \
    from[email protected] user[email protected] \
    password=YourSMTPPassword tls=starttls

Verify current settings

Section titled “Verify current settings”
/tool e-mail print

TLS Modes and Port Selection

Section titled “TLS Modes and Port Selection”

RouterOS supports three TLS modes. Choose the mode that matches your SMTP provider’s requirements.

Modetls= valueTypical portBehaviour
No encryptionno25Plaintext. Avoid on untrusted networks.
Implicit TLS (SMTPS)yes465TLS from the first byte. Fails if server does not support it.
Explicit TLS (STARTTLS)starttls587Starts plaintext, upgrades to TLS. Fails if server does not support STARTTLS.

Port 25 is commonly blocked by ISPs and cloud providers. Use port 587 with tls=starttls for most public mail services.

Gmail

Section titled “Gmail”
/tool e-mail
set address=smtp.gmail.com port=587 tls=starttls \
    from[email protected] user[email protected] \
    password=YourAppPassword

Note: Google requires an App Password when 2-Step Verification is enabled. Regular account passwords will not work.

Microsoft 365 / Office 365

Section titled “Microsoft 365 / Office 365”
/tool e-mail
set address=smtp.office365.com port=587 tls=starttls \
    from=user@tenant.com user=user@tenant.com \
    password=YourPassword

Sending Email

Section titled “Sending Email”

Send a test message

Section titled “Send a test message”
/tool e-mail send to[email protected] \
    subject="RouterOS test" body="Mail from /tool e-mail"

Send with a file attachment

Section titled “Send with a file attachment”
/tool e-mail send to[email protected] \
    subject="Config export" body="See attached." \
    file=export.rsc

Send with multiple attachments

Section titled “Send with multiple attachments”
/tool e-mail send to[email protected] \
    subject="Logs and backup" body="Two files attached." \
    file="backup.backup,syslog.txt"

Override SMTP server per message

Section titled “Override SMTP server per message”

All connection parameters can be overridden on a per-send basis without changing the global settings:

/tool e-mail send to[email protected] \
    subject="Urgent" body="From secondary relay." \
    server=smtp2.example.com port=25

Scripted Alerts

Section titled “Scripted Alerts”

Scripts can compose dynamic email bodies using RouterOS variables and system commands, then call /tool e-mail send.

WAN down alert script

Section titled “WAN down alert script”
/system script
add name=wan-down-alert source={
    :local rName [/system identity get name]
    :local ts ([/system clock get date] . " " . [/system clock get time])
    :local body ("WAN is DOWN on " . $rName . " at " . $ts)
    /tool e-mail send \
        to="[email protected]" \
        subject=("ALERT: WAN down - " . $rName) \
        body=$body
}

Daily status report script

Section titled “Daily status report script”
/system script
add name=daily-status-email source={
    :local id  [/system identity get name]
    :local up  [/system resource get uptime]
    :local ver [/system resource get version]
    :local cpu [/system resource get cpu-load]
    :local body ("Router: " . $id . "\r\nUptime: " . $up . \
                 "\r\nVersion: " . $ver . "\r\nCPU load: " . $cpu . "%")
    /tool e-mail send \
        to="[email protected]" \
        subject=($id . " daily status") \
        body=$body
}

Daily config export with email attachment

Section titled “Daily config export with email attachment”
/system script
add name=mail-config-export source={
    :local id [/system identity get name]
    :local fn ("export-" . $id)
    /export file=$fn
    /tool e-mail send \
        to="[email protected]" \
        subject=($id . " config export") \
        body="RouterOS configuration export attached." \
        file=($fn . ".rsc")
}

Integration with Scheduler

Section titled “Integration with Scheduler”

Run email scripts on a fixed schedule using /system scheduler.

Hourly status report

Section titled “Hourly status report”
/system scheduler
add name=hourly-status interval=1h \
    start-time=startup on-event=daily-status-email

Daily config backup at 06:00

Section titled “Daily config backup at 06:00”
/system scheduler
add name=daily-config-export start-time=06:00:00 \
    interval=1d on-event=mail-config-export

See Scheduler for full reference.

Integration with Netwatch

Section titled “Integration with Netwatch”

Netwatch fires up-script and down-script on host reachability changes. Use these to trigger immediate email alerts.

# Configure SMTP first (see above), then add the Netwatch rule:
/tool netwatch
add host=203.0.113.1 interval=30s timeout=3s \
    down-script={
        :local rName [/system identity get name]
        :local ts ([/system clock get date] . " " . [/system clock get time])
        /tool e-mail send \
            to="[email protected]" \
            subject=("ALERT: 203.0.113.1 DOWN - " . $rName) \
            body=("Host 203.0.113.1 is DOWN on " . $rName . " at " . $ts)
    } \
    up-script={
        :local rName [/system identity get name]
        :local ts ([/system clock get date] . " " . [/system clock get time])
        /tool e-mail send \
            to="[email protected]" \
            subject=("RECOVERY: 203.0.113.1 UP - " . $rName) \
            body=("Host 203.0.113.1 is UP on " . $rName . " at " . $ts)
    }

Note: Netwatch scripts run under the sys user with limited permissions (read, write, test, reboot). If email alerts do not fire, verify that the script policy allows the required operations.

See Netwatch for full reference.

Troubleshooting

Section titled “Troubleshooting”
SymptomLikely causeResolution
Send times out or fails silentlyPort 25 blocked by ISPSwitch to port 587 with tls=starttls
Authentication failureWrong credentials or app password not setUse an App Password for Gmail/Microsoft; verify user and password
TLS handshake errorTLS mode/port mismatchUse tls=starttls on port 587 or tls=yes on port 465
Netwatch alert never firesScript policy restrictionCheck /tool netwatch script execution permissions
Attachment not foundFile does not exist on routerRun /file print to confirm the filename before sending

Check send result interactively

Section titled “Check send result interactively”

RouterOS prints an error to the terminal if the send command fails. Run the send command directly in the terminal (not inside a scheduler or Netwatch script) to see the raw error message.