I just checked. At least it's not answering on 25 to receive all that free typo mail. Same for gmali.com. But they could spoof the gmail login page. Not finding out.
PORT STATE SERVICE
80/tcp open http
443/tcp open https
8080/tcp open http-proxy
You're looking in the wrong place. They don't need to be listening for mail on the machine behind the A/AAAA records for the domain, because they have an MX record indicating that mail should be delivered elsewhere:
$ dig MX gmai.com +short
1 mail.h-email.net.
Port 25 is very rare these days, as it implies the possibility of unencrypted traffic; legitimate SMTP traffic uses port 587. That said, I checked a couple of the hosts that that name resolves to, and they all listen for both SMTP and secure SMTP traffic:
$ nmap -p 25,587 mail.h-email.net
Starting Nmap 7.95 ( https://nmap.org ) at 2025-12-18 16:31 UTC
Nmap scan report for mail.h-email.net (165.227.159.144)
Host is up (0.093s latency).
Other addresses for mail.h-email.net (not scanned): 91.107.214.206 165.227.156.49 167.235.143.33 5.75.171.74 5.161.194.135 178.62.199.248 5.161.98.212 162.55.164.116 49.13.4.90
rDNS record for 165.227.159.144: mail2.h-email.net
PORT STATE SERVICE
25/tcp open smtp
587/tcp open submission
imglorp|2 months ago
MrDOS|2 months ago