Guide
Outlook SMTP Settings: Server, Port, TLS
Complete Outlook SMTP reference for developers: smtp.office365.com settings, port 587 with STARTTLS, Modern Auth (OAuth 2.0) requirements since Microsoft removed Basic Auth in October 2022, sending limits for Microsoft 365 and Outlook.com, common SMTP error codes, and a zero-config alternative.
Written by Nick Barraclough Product Manager
Command references used in this guide: nylas email send for sending without SMTP, nylas auth login for OAuth authentication, and nylas email list for reading email.
What are the Outlook SMTP server settings?
The Outlook SMTP server is smtp.office365.com. Port 587 with STARTTLS is the only supported configuration since Microsoft deprecated port 25 for client submissions and recommends port 587 with STARTTLS over port 465 for Exchange Online. Authentication must use OAuth 2.0 Modern Auth. The table below is the complete quick-reference for configuring any SMTP client or library.
| Setting | Value |
|---|---|
| SMTP server | smtp.office365.com |
| Port | 587 |
| Encryption | STARTTLS (required) |
| Authentication | OAuth 2.0 (Modern Auth) |
| Username | Full email address (user@domain.com) |
| IMAP server | outlook.office365.com (port 993, TLS) |
| POP3 server | outlook.office365.com (port 995, TLS) |
The IMAP and POP3 servers use a different hostname (outlook.office365.com) than the SMTP server. This catches developers who assume they're the same. According to Microsoft's Exchange Online docs, SMTP AUTH must be explicitly enabled per mailbox by a tenant admin. It's disabled by default for new Microsoft 365 tenants.
How did Microsoft's Basic Auth shutdown change SMTP access?
Microsoft permanently disabled Basic Authentication for Exchange Online protocols on October 1, 2022. Before that date, SMTP clients could send username and password in plain text (base64-encoded via AUTH LOGIN or AUTH PLAIN). After the shutdown, all SMTP connections must authenticate with an OAuth 2.0 access token using the XOAUTH2 SASL mechanism. This change broke thousands of scripts, printers, and line-of-business apps overnight.
To send email via SMTP with Modern Auth, you need an Azure AD app registration with the SMTP.Send delegated permission. The token request goes to https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token with scope=https://outlook.office365.com/.default. The access token expires in 3,600 seconds (1 hour), so production code needs a refresh-token loop. The example below shows the SMTP EHLO handshake after upgrading to STARTTLS.
# SMTP Modern Auth handshake (conceptual)
EHLO client.example.com
STARTTLS
EHLO client.example.com
AUTH XOAUTH2 <base64-encoded-oauth2-token>
# The base64 token format:
# user=user@contoso.com^Aauth=Bearer <access_token>^A^A
# where ^A is the ASCII SOH character (0x01)The XOAUTH2 token format is not the same as a standard Bearer header. The user= and auth=Bearer fields are separated by SOH (0x01) characters, then the entire string is base64-encoded. Getting this encoding wrong is the #1 cause of 535 5.7.3 Authentication unsuccessful errors. Microsoft's XOAUTH2 documentation includes a Python sample that constructs the string correctly.
What are common Outlook SMTP errors and fixes?
Outlook SMTP returns RFC 5321 error codes with Microsoft-specific extended status codes. The 5.7.x family covers authentication and authorization failures, which are the most common after the Basic Auth shutdown. The table below lists 8 common errors from Microsoft's NDR reference.
| Error code | Meaning | Fix |
|---|---|---|
| 535 5.7.3 | Authentication unsuccessful | Switch to OAuth 2.0 Modern Auth; Basic Auth is permanently disabled |
| 550 5.7.501 | SMTP AUTH disabled for mailbox | Admin must enable SMTP AUTH via Set-CASMailbox -SmtpClientAuthenticationDisabled $false |
| 550 5.1.1 | Recipient not found | Verify the recipient address exists in the target domain |
| 421 4.7.0 | Connection throttled | Back off and retry after 60 seconds; reduce send rate |
| 550 5.7.708 | Tenant blocked outbound email | Admin must remove the block in the Security & Compliance Center |
| 554 5.2.0 | Message too large | Reduce message size below 25 MB (35 MB with base64 overhead = ~25 MB decoded) |
| 452 4.5.3 | Too many recipients | Limit to the per-tenant recipient cap (default varies, max 1,000) |
| 550 5.7.520 | Detected as spam | Check SPF, DKIM, DMARC records; reduce bulk sending rate |
Error 535 5.7.3 is by far the most common, accounting for the majority of support tickets since October 2022. If you see it, your code is still sending a plain username and password. The fix is to register an Azure AD app, acquire an OAuth 2.0 token, and use the XOAUTH2 mechanism as described in the previous section.
What are the sending limits for Microsoft 365?
Microsoft 365 enforces per-mailbox and per-tenant rate limits on SMTP AUTH submissions. The limits differ between Microsoft 365 Business plans and free Outlook.com accounts. Exceeding any limit triggers a 421 4.7.0 throttle response or a 550 rejection. The table below shows the current limits per Microsoft's Exchange Online limits documentation.
| Limit | Microsoft 365 | Outlook.com |
|---|---|---|
| Recipients per day | 10,000 | varies by subscription |
| Recipients per message | Up to 1,000 (admin-configurable) | 100 |
| Messages per minute | 30 | 30 |
| Max message size | 25 MB | 25 MB |
| Max attachments | 250 | 250 |
The 30 messages-per-minute limit surprises developers building automated notification systems. It's a per-mailbox cap, not per-tenant, so distributing sends across multiple mailboxes works around it. For high-volume transactional email, Microsoft recommends using an Azure Communication Services resource or a third-party ESP instead of SMTP AUTH.
When should you skip Outlook SMTP entirely?
SMTP AUTH through smtp.office365.com requires an Azure AD app registration, OAuth 2.0 token management, XOAUTH2 encoding, and per-mailbox admin enablement. If you're building a script, CI/CD pipeline, or developer tool that sends email from an Outlook account, you can skip all of that. The CLI authenticates via OAuth in a browser, caches the token, and handles refresh automatically.
The example below sends an email from an Outlook account in 2 commands. The first authenticates and stores credentials locally. The second sends the message over HTTPS, not SMTP. There's no port 587, no STARTTLS handshake, no XOAUTH2 token encoding, and no admin enablement step.
# Install (macOS or Linux)
brew install nylas/nylas-cli/nylas
# Authenticate your Outlook account
nylas auth login
# Send an email
nylas email send \
--to recipient@example.com \
--subject "Quarterly report" \
--body "See the attached spreadsheet."
# List recent emails to verify delivery
nylas email list --limit 5The same commands work for Gmail, Yahoo, iCloud, Exchange, and IMAP accounts. If you need Outlook-specific SMTP settings for a legacy system that requires raw SMTP, use the quick-reference table at the top of this page. For everything else, skipping SMTP removes the authentication complexity that Microsoft's Basic Auth shutdown introduced.
Next steps
- Gmail SMTP settings — the Gmail equivalent of this reference, with port 587/465 and app password setup
- Send Outlook email from terminal — send Outlook email without Graph API or SMTP
- Office 365 email from PowerShell — manage O365 email in PowerShell scripts
- EWS to Graph migration — migrate from Exchange Web Services before the October 2026 shutdown
- Full command reference — every flag and subcommand documented