SMTP code 535 means the authentication attempt failed — the server did not accept the provided credentials. This is the most common authentication error in SMTP. The credentials may be wrong (incorrect username or password), the account may be locked or disabled, the authentication mechanism may require a specific format, or additional security requirements may not be met (such as app-specific passwords for accounts with two-factor authentication). Code 535 is permanent for the specific credentials used — the client should not retry with the same credentials but should prompt for corrected ones.
The most straightforward cause — the credentials are wrong. The username may need to be the full email address ([email protected]) rather than just the username portion, or vice versa. Passwords are case-sensitive and may have been changed.
Providers like Gmail, Yahoo, Microsoft 365, and Apple iCloud require app-specific passwords for SMTP when two-factor authentication is enabled on the account. Using the account's regular password will fail with 535 even though it works for web login.
The account exists but has been suspended, locked due to too many failed login attempts, or disabled by an administrator. The server returns 535 rather than revealing that the account exists but is locked.
For XOAUTH2 authentication, the access token may have expired (tokens are typically valid for 1 hour). The client needs to refresh the token using the refresh token before retrying authentication.
Double-check the username and password. Try logging into the email account via webmail to confirm the password is correct. Ensure the username includes the full email address if required.
If the account uses two-factor authentication, generate an app-specific password from the provider's security settings page. Use this password instead of the regular account password.
Connect to the SMTP server and attempt AUTH manually. Use base64-encoded credentials. This isolates whether the issue is with the credentials or your application's encoding.
openssl s_client -connect mail.example.com:587 -starttls smtp
Log into the email provider's security dashboard and check for blocked sign-in attempts, security alerts, or requirements to allow less-secure apps. Some providers block SMTP access by default.
Ensure your client is using an AUTH mechanism that the server supports. Send EHLO and check the AUTH capabilities line. Try AUTH PLAIN if AUTH LOGIN fails, or vice versa.