SMTP

Moodle SMTP Error: Could Not Authenticate

Moodle raises Could not authenticate when SMTP AUTH fails. Use a Gmail App Password or Microsoft 365 XOAUTH2 and match the security mode to the mail port.

Updated Jul 1, 2026

The short answer

"SMTP Error: Could not authenticate" is the message Moodle's bundled PHPMailer library raises when the mail server rejects the credentials in your Outgoing mail configuration (the SMTP AUTH handshake, RFC 4954, fails). Fix it by entering the correct SMTP username and password, using a Gmail App Password or Microsoft 365 XOAUTH2 instead of your normal login, and matching the security mode (TLS/SSL) to the port.

Moodle does not implement SMTP itself — it sends mail through the bundled PHPMailer library. The string SMTP Error: Could not authenticate. is emitted by PHPMailer when the server refuses the credentials during the SMTP AUTH exchange (RFC 4954). In practice this almost always means the username/password/auth-method in Site administration → Server → Email → Outgoing mail configuration don't match what your provider expects.

What causes "SMTP Error: Could not authenticate" in Moodle?

The mail server completed the connection and TLS, then returned a failure (typically 535 5.7.8 Authentication credentials invalid) to PHPMailer's AUTH LOGIN/PLAIN command. Common triggers:

  • Wrong SMTP username or password in Outgoing mail configuration. The SMTP username is usually the full email address, and the password is the mailbox/SMTP password — not your Moodle login.
  • Using a normal account password where the provider now requires an app-specific credential. Google removed "Less secure apps" access in 2022, so a plain Google account password will be rejected in favor of an App Password.
  • Wrong "SMTP Auth Type." Moodle offers LOGIN, PLAIN and (since Moodle 4.1, MDL-61921) XOAUTH2. Most password-based providers want LOGIN; Microsoft 365/Gmail OAuth requires XOAUTH2 with a configured OAuth 2 service.
  • Security/port mismatch. If SMTP security (None/SSL/TLS) doesn't match the host port, the session can fail before or during AUTH.

How do I fix it?

  1. Open Site administration → Server → Email → Outgoing mail configuration and re-check SMTP hosts, SMTP security, SMTP Auth Type, SMTP username, and SMTP password.
  2. Set the right host + port + security. Both implicit TLS (port 465) and STARTTLS (port 587) are valid per RFC 8314; 465 is not deprecated. Examples:
  3. Gmail / Google Workspace: smtp.gmail.com:587 (security TLS) or smtp.gmail.com:465 (security SSL)
  4. Microsoft 365: smtp.office365.com:587 (security TLS)
  5. Use the correct credential type:
  6. Gmail/Workspace: enable 2-Step Verification, generate an App Password, and paste that 16-character value as the SMTP password. Do not re-enable "Less secure apps" — it no longer exists.
  7. Microsoft 365: Microsoft has already disabled Basic Auth tenant-wide for other protocols (EAS, POP, IMAP, EWS, PowerShell) since 2022–2023, and disabled SMTP AUTH specifically for any tenant with no recorded usage. For tenants still actively using SMTP AUTH, Microsoft plans to turn it off by default starting end of December 2026 (admin-reversible; a final removal date hasn't been announced as of mid-2026). Don't assume XOAUTH2 is mandatory before checking whether your tenant's SMTP AUTH has actually been disabled — most "Could not authenticate" failures against Office 365 today are still plain wrong-password issues. If your tenant has disabled Basic Auth, set SMTP Auth Type = XOAUTH2 and configure an OAuth 2 service (requires Moodle 4.1+).
  8. Match the username format — for Gmail and M365 the SMTP username is the full email address.
  9. For some relay/internal servers, leave username and password blank. If your smarthost authenticates by IP rather than credentials, populating these fields can cause the AUTH attempt — and this error. Clearing both lets Moodle skip AUTH.
  10. Save, then use the Test outgoing mail configuration page (Server → Email) to send a test message. To see the full PHPMailer/SMTP dialogue, temporarily set Debug messages to DEVELOPER level (Development → Debugging) and check the output.

If credentials are confirmed correct and it still fails, the rejection is on the mail server side — ask that server's administrator to check the mail log for the exact AUTH failure, and verify your sending IP isn't blocked.

FAQ

Common questions

Yes. Enable 2-Step Verification on the Google account, generate an App Password, and enter it as the SMTP password in Outgoing mail configuration with host smtp.gmail.com on port 587 (TLS) or 465 (SSL). Google's old 'Less secure apps' toggle was removed in 2022 and should not be relied on.

One API, every provider

Stop debugging raw provider errors

Courier connects to your email, SMS, and push providers, handles retries and failover, and surfaces delivery errors in plain language.

Reply-code definitions per RFC 4954. Last reviewed Jul 1, 2026. Courier is not affiliated with third-party providers; error behavior may vary by implementation.