SMTP
Moodle raises Could not authenticate when SMTP AUTH fails. Use a Gmail App Password or Microsoft 365 XOAUTH2 and match the security mode to the mail port.
Updated Jul 1, 2026
The short answer
"SMTP Error: Could not authenticate" is the message Moodle's bundled PHPMailer library raises when the mail server rejects the credentials in your Outgoing mail configuration (the SMTP AUTH handshake, RFC 4954, fails). Fix it by entering the correct SMTP username and password, using a Gmail App Password or Microsoft 365 XOAUTH2 instead of your normal login, and matching the security mode (TLS/SSL) to the port.
Moodle does not implement SMTP itself — it sends mail through the bundled PHPMailer library. The string SMTP Error: Could not authenticate. is emitted by PHPMailer when the server refuses the credentials during the SMTP AUTH exchange (RFC 4954). In practice this almost always means the username/password/auth-method in Site administration → Server → Email → Outgoing mail configuration don't match what your provider expects.
The mail server completed the connection and TLS, then returned a failure (typically 535 5.7.8 Authentication credentials invalid) to PHPMailer's AUTH LOGIN/PLAIN command. Common triggers:
smtp.gmail.com:587 (security TLS) or smtp.gmail.com:465 (security SSL)smtp.office365.com:587 (security TLS)If credentials are confirmed correct and it still fails, the rejection is on the mail server side — ask that server's administrator to check the mail log for the exact AUTH failure, and verify your sending IP isn't blocked.
References
FAQ
Yes. Enable 2-Step Verification on the Google account, generate an App Password, and enter it as the SMTP password in Outgoing mail configuration with host smtp.gmail.com on port 587 (TLS) or 465 (SSL). Google's old 'Less secure apps' toggle was removed in 2022 and should not be relied on.
One API, every provider
Courier connects to your email, SMS, and push providers, handles retries and failover, and surfaces delivery errors in plain language.
Reply-code definitions per RFC 4954. Last reviewed Jul 1, 2026. Courier is not affiliated with third-party providers; error behavior may vary by implementation.
© 2026 Courier. All rights reserved.