Guide

Gmail SMTP Settings 2026: Ports, TLS, Auth

Complete Gmail SMTP reference for developers: smtp.gmail.com settings, port 587 and 465 configuration, app password setup, OAuth 2.0 requirements, sending limits, common error codes, and a zero-config CLI alternative.

Written by Qasim Muhammad Staff SRE

VerifiedCLI 3.1.1 · Gmail · last tested May 21, 2026

Command references used in this guide: nylas email send for sending without SMTP, nylas auth login for OAuth authentication, nylas auth config for headless API-key setup, and nylas email search for finding messages.

What are the Gmail SMTP server settings?

Gmail's outgoing mail server is smtp.gmail.com. It accepts connections on port 587 with STARTTLS encryption and port 465 with implicit SSL/TLS. Both ports require authentication with either an app password or an OAuth 2.0 access token. Plain-text connections on port 25 are not available for standard Gmail accounts. These settings haven't changed since Google standardized them, but the authentication methods have narrowed significantly since 2022.

SettingValue
SMTP serversmtp.gmail.com
Port (STARTTLS)587
Port (SSL/TLS)465
EncryptionTLS 1.2 or higher required
AuthenticationApp password or OAuth 2.0
UsernameYour full Gmail address (you@gmail.com)
Daily limit (personal)500 messages
Daily limit (Workspace)2,000 messages

Google also runs an SMTP relay at smtp-relay.gmail.com for Workspace accounts that need higher throughput. The relay supports up to 10,000 recipients per day per user and allows IP-based authentication instead of user credentials. According to Google's Workspace documentation, the relay is intended for printers, scanners, and internal apps that send from a known IP range.

The most common configuration uses port 587 with STARTTLS. Here's what that looks like in msmtp, a lightweight SMTP client that many developers use as a sendmail replacement. The config file is ~/.msmtprc and takes about 2 minutes to write.

~/.msmtprc
# ~/.msmtprc — Gmail SMTP via msmtp
account        gmail
host           smtp.gmail.com
port           587
tls            on
tls_starttls   on
auth           on
user           you@gmail.com
password       abcd-efgh-ijkl-mnop
from           you@gmail.com
logfile        ~/.msmtp.log

account default : gmail

How do I set up a Gmail app password for SMTP?

A Gmail app password is a 16-character code that replaces your account password when connecting to SMTP. Google generates it for you after you enable 2-Step Verification. App passwords are currently the only password-based SMTP authentication method for personal Gmail accounts. Google disabled "Less Secure Apps" access on September 30, 2024, removing the old option of using your regular Gmail password for SMTP connections.

Creating an app password takes about 3 minutes. You need 2-Step Verification enabled first, which Google requires for all new accounts since 2021. Here are the steps:

  1. Go to myaccount.google.com/security and confirm 2-Step Verification is on.
  2. Visit myaccount.google.com/apppasswords.
  3. Enter a name for the app (e.g., "SMTP script") and click Create.
  4. Copy the 16-character password. It appears once — you can't retrieve it later.
  5. Use this password as the SMTP password in your client. Your username is your full email address.

According to Google's app password documentation, app passwords "aren't recommended and are unnecessary in most cases." Google prefers OAuth 2.0 sign-in. App passwords are also revoked automatically whenever you change your Google account password, so any SMTP integration using one will break until you generate a new code.

You can test the app password with swaks, the SMTP protocol testing tool. This sends a single message through Gmail's SMTP server and shows every step of the SMTP handshake, making it easy to spot authentication failures. The test takes about 5 seconds.

Terminal
# Test Gmail SMTP auth with swaks
swaks --to recipient@example.com \
  --from you@gmail.com \
  --server smtp.gmail.com \
  --port 587 \
  --tls \
  --auth LOGIN \
  --auth-user you@gmail.com \
  --auth-password "abcd-efgh-ijkl-mnop"

# Expected output (successful):
# -> AUTH LOGIN
# <- 235 2.7.0 Accepted
# -> MAIL FROM:<you@gmail.com>
# <- 250 2.1.0 OK

What are Gmail SMTP sending limits?

Personal Gmail accounts can send 500 emails per rolling 24-hour window. Google Workspace accounts get 2,000 messages per day. When you exceed the limit, Gmail returns a temporary error and suspends outbound sending for up to 24 hours. Incoming mail still works during the suspension. Trial Workspace accounts are capped at 500 messages per day until cumulative payments reach $100 USD.

LimitPersonal GmailGoogle Workspace
Messages per day5002,000
Recipients per message5002,000 (500 external)
Recipients per day50010,000
Unique external recipients/day5003,000
Mail merge per dayN/A1,500
SMTP recipients per message100100
Attachment size limit25 MB25 MB

The 100-recipient-per-message limit on SMTP connections is lower than the 500 allowed through the Gmail web UI. According to Google's Workspace sending limits documentation, SMTP, POP, and IMAP users are capped at 100 recipients per message regardless of account type. If your script sends to more than 100 addresses, split the recipients into batches.

For bulk senders who send more than 5,000 messages per day to Gmail recipients, Google requires SPF, DKIM, and DMARC authentication on the sending domain, plus a one-click unsubscribe header. The requirements went into effect in February 2024. Senders exceeding their quota see SMTP error code 4.7.28 — a temporary rejection that clears after the 24-hour window resets.

Why does Gmail SMTP authentication fail?

Gmail SMTP authentication fails for 4 common reasons: missing app password, wrong credentials, disabled 2-Step Verification, or too many simultaneous connections. Google returns specific SMTP error codes for each case. The error message tells you exactly what went wrong if you know where to look. Here are the codes you'll encounter most often.

Error codeMessageCauseFix
534-5.7.9"Application-specific password required"Account has 2-Step Verification but no app passwordGenerate an app password at myaccount.google.com/apppasswords
535-5.7.8"Username and Password not accepted"Wrong password, expired app password, or account password was changedGenerate a new app password
421-4.7.0"Too many concurrent SMTP connections"More than 10 simultaneous SMTP sessions from one accountReduce connection pool size or add exponential backoff
550-5.4.5"Daily sending quota exceeded"Hit 500/day (personal) or 2,000/day (Workspace) limitWait up to 24 hours for the rolling window to reset
530-5.7.0"Must issue a STARTTLS command first"Connecting to port 587 without STARTTLSEnable STARTTLS in your client, or switch to port 465 with implicit SSL

The most common error in 2026 is 534-5.7.9. Developers copy SMTP examples from older tutorials that use a regular Gmail password. Those examples worked before September 30, 2024, when Google still allowed Less Secure Apps access. Now every SMTP connection to Gmail requires either an app password or an OAuth 2.0 token.

To diagnose SMTP errors interactively, use openssl to open a raw TLS connection. This shows the exact SMTP banner and error response from Google's server, which is useful when higher-level clients hide the original error code. The command connects to port 465 with implicit TLS.

Terminal
# Open a raw TLS connection to Gmail SMTP
openssl s_client -connect smtp.gmail.com:465 -quiet

# You'll see the SMTP banner:
# 220 smtp.gmail.com ESMTP ... - gsmtp

# Authenticate manually:
EHLO localhost
AUTH LOGIN
# Enter base64-encoded username and password
# Google returns 235 on success or 535-5.7.8 on failure

Is Gmail SMTP being deprecated?

Gmail SMTP itself is not being deprecated. The smtp.gmail.com server still accepts connections on ports 587 and 465 as of May 2026. What has changed is how you authenticate. Google has systematically removed the easier authentication methods over the past 4 years, leaving only app passwords and OAuth 2.0. The direction is clear: OAuth is the intended path.

Here's the timeline of what Google has shut down:

DateWhat happened
May 30, 2022Google stopped allowing new apps to enable Less Secure Apps access
June 15, 2024Less Secure Apps toggle removed from the Workspace Admin Console
September 30, 2024Less Secure Apps access disabled for all Google Workspace accounts
January 2025Rollout resumed after a pause in October 2024; final enforcement by March-May 2025

App passwords remain available today, but Google's own documentation calls them "not recommended." They carry risk: anyone with the 16-character code has full SMTP access to the account, and you can't scope an app password to specific actions. OAuth 2.0 lets you request only the scopes you need (e.g., https://mail.google.com/ for SMTP) and tokens expire after 3,600 seconds. If you're building something new, use OAuth.

For Workspace administrators, Google's September 2023 blog post confirmed the migration path: apps that need mail access should use OAuth or the Gmail API. Printers and scanners that can't do OAuth should use the smtp-relay.gmail.com relay with IP-based authentication instead.

How do I send email without configuring SMTP?

Nylas CLI sends email through the Nylas API without SMTP configuration, app passwords, or OAuth token management. One command authenticates via browser-based OAuth, and subsequent sends use stored credentials that refresh automatically every 3,600 seconds. The entire setup from install to first sent email takes under 2 minutes. It works with Gmail, Outlook, Exchange, Yahoo, iCloud, and IMAP providers.

Install the CLI with Homebrew, then run the guided setup. The nylas init command walks you through account creation, API key setup, and mailbox connection. If you already have a Nylas API key, you can skip straight to nylas auth config. See the getting started guide for other install methods (shell script, PowerShell, Go).

Terminal
# Install Nylas CLI
brew install nylas/nylas-cli/nylas

# Guided setup (creates account, API key, connects mailbox)
nylas init

# Or, if you already have an API key
nylas auth config --api-key nyl_abc123
nylas auth login

# Send an email — no SMTP, no app password, no port config
nylas email send \
  --to recipient@example.com \
  --subject "Sent without SMTP" \
  --body "No smtp.gmail.com, no port 587, no app password."

# Send non-interactively (for scripts and cron jobs)
nylas email send \
  --to ops@company.com \
  --subject "Deploy complete" \
  --body "Build #1847 deployed at $(date)" \
  --yes

The difference between SMTP and API-based sending is significant for scripts that run unattended. With SMTP, you manage credentials (app passwords that break when the account password changes), connection pooling (Gmail limits you to 10 concurrent SMTP sessions), and TLS negotiation. With the CLI, one command handles all of it. The tool stores OAuth tokens in your system keyring and refreshes them before they expire.

For Python scripts that currently use smtplib with Gmail SMTP settings, you can replace the SMTP block with a subprocess call. This eliminates the SMTP configuration and app password from your code entirely. The Send email from Python without SMTP guide covers the full migration pattern.

send_email.py
# Before: 15 lines of smtplib + Gmail SMTP config
import smtplib
from email.mime.text import MIMEText

msg = MIMEText("Hello from Python")
msg["Subject"] = "Test"
msg["From"] = "you@gmail.com"
msg["To"] = "recipient@example.com"

with smtplib.SMTP("smtp.gmail.com", 587) as server:
    server.starttls()
    server.login("you@gmail.com", "abcd-efgh-ijkl-mnop")  # app password
    server.send_message(msg)

# After: 1 subprocess call, no SMTP, no password in code
import subprocess
subprocess.run([
    "nylas", "email", "send",
    "--to", "recipient@example.com",
    "--subject", "Test",
    "--body", "Hello from Python",
    "--yes"
], check=True)

If your use case needs SMTP (mail server testing, printer integration, legacy apps that can't call subprocesses), the settings at the top of this page are what you need. For everything else, sending through an API removes the moving parts: no port to remember, no TLS to negotiate, no app password to rotate.

Next steps