SMTP

SMTP email server error

"SMTP email server error" is a generic wrapper around a real 3-digit reply code. Learn to read the 4xx/5xx code, decode RFC 3463 status, and fix the cause.

Updated Jul 1, 2026

The short answer

"SMTP email server error" is a generic label, not a specific SMTP reply. The actual error is the 3-digit reply code that accompanies it (RFC 5321 §4.2.1): 4xx = temporary, retry later; 5xx = permanent, fix and resend. To fix it, find that code (and any X.Y.Z enhanced status from RFC 3463) in your logs, then resolve the underlying authentication, connection, or configuration cause it points to.

"SMTP email server error" is not itself a Simple Mail Transfer Protocol reply code. It is a generic, client-side wrapper that mail libraries and applications print around the actual error returned by the server. The information you need is the 3-digit reply code (and often an X.Y.Z enhanced status code) reported alongside it. Until you read that code, any fix is guesswork.

What causes an "SMTP email server error"?

Per RFC 5321 §4.2.1, every SMTP server reply begins with a 3-digit code whose first digit sets the class:

  • 2xx — success (e.g., 250 OK). Not an error.
  • 4xxtransient failure. The command failed but the condition may be temporary; the sending server should queue and retry (SendGrid retries 4xx for up to 72 hours). Examples: 421 service not available/shutting down per RFC 5321 (in practice, mail servers commonly reuse it for connection-rate limiting — too many concurrent connections), 450 mailbox busy or rate-limited, 451 local processing error, 452 insufficient system storage or too many recipients (RFC 5321 §4.5.3.1.10 explicitly assigns "too many recipients" to 452, correcting an earlier RFC 821 mislabeling of 552).
  • 5xxpermanent failure. Retrying the message unchanged will not help; something about the message, credentials, or destination must change. Examples: 500 syntax error, 530/535 authentication required or failed (defined by the SMTP AUTH extension, RFC 4954 §6 — not base RFC 5321), 550 mailbox unavailable or unauthenticated sender, 551/553 invalid address, 552 quota exceeded or message too large.

Many servers also append an RFC 3463 enhanced status code in class.subject.detail form. The subject digit localizes the fault: X.1.x = addressing, X.2.x = mailbox, X.3.x = destination mail system, X.4.x = network/routing, X.5.x = mail-protocol, X.7.x = security/policy (e.g., 5.7.1 = delivery not authorized). So 550 5.7.1 is a policy/auth rejection, while 550 5.1.1 is an unknown recipient — very different fixes despite sharing 550.

The three practical root-cause buckets behind the generic label are: (1) authentication (wrong/missing credentials), (2) connectivity (blocked port, DNS, TLS handshake), and (3) configuration (bad address, unverified sender, message limits).

How do I fix an "SMTP email server error"?

1. Find the real code. Look in your application logs, SMTP debug output, or your provider's activity/bounce dashboard for the digits and any enhanced status. With Nodemailer the code is on the thrown error's responseCode/response; with Python's smtplib it is in the SMTPResponseException.smtp_code and smtp_error. That code — not the wrapper text — tells you which path below applies.

2. If it is an authentication code (530, 535, 550 5.7.x):

  • Confirm you are using the correct credentials for that provider. For SendGrid SMTP, the username is the literal string apikey and the password is the full ~69-character API key, sent unencoded (SendGrid).
  • For Gmail, Google removed the "Less Secure Apps" toggle for personal accounts in 2022. Google Workspace phased out the same basic-auth access on a separate, later timeline: the admin toggle was removed June 15, 2024, with access cut off for most accounts by September 30, 2024, and the shutdown finalized across remaining accounts around May 1, 2025. Either way, use an App Password (requires 2-Step Verification enabled) or OAuth2 — a regular account password will fail on both.
  • Ensure your client negotiates TLS 1.2 or higher. SendGrid (and most modern relays) reject TLS 1.0/1.1 at the handshake stage (SendGrid ended support June 5, 2023) — this typically surfaces as a connection-reset/handshake error rather than a clean SMTP reply code, so don't expect to see a 535 in that case.
  • Authenticate before issuing MAIL FROM; sending early triggers 550 Unauthenticated senders not allowed.

3. If it is a connectivity failure (timeout, "could not connect", 421): verify reachability of a supported submission port. Both are valid per RFC 8314: 587 (STARTTLS, recommended) and 465 (implicit TLS) — 465 is not deprecated. Port 25 is frequently blocked by ISPs/cloud hosts for outbound mail. Test with:

# Port reachability
nc -vz smtp.yourprovider.com 587
# Banner + STARTTLS + TLS handshake
openssl s_client -connect smtp.yourprovider.com:465
openssl s_client -starttls smtp -connect smtp.yourprovider.com:587

A successful connect returns a 220 banner. handshake failure or wrong version number points to a firewall, VPN, or corporate TLS-inspection proxy stripping STARTTLS or rewriting DNS — compare your resolver against 8.8.8.8/1.1.1.1 to rule out interception (SendGrid connectivity guide).

4. If it is a configuration/content code (550 5.1.1, 551, 552): correct or remove the invalid recipient, verify your sender identity/domain with the provider, and check message-size and recipient-per-message limits. A 552 usually means an oversized message or full mailbox; a 5.1.1 means the address does not exist — scrub it from your list.

5. Match retry behavior to the class. Retry 4xx with exponential backoff; do not loop on 5xx — repeated retries waste resources and can damage sender reputation. If you cannot locate any underlying code, enable verbose SMTP logging and reproduce the send; a truly empty error usually means the connection dropped before the server replied (a connectivity problem, step 3).

FAQ

Common questions

No. It is a generic label that client software wraps around the actual server response. The real, actionable information is the 3-digit reply code (RFC 5321) and any X.Y.Z enhanced status code (RFC 3463) reported with it — for example 535 (auth failed) or 550 5.1.1 (unknown recipient).

One API, every provider

Stop debugging raw provider errors

Courier connects to your email, SMS, and push providers, handles retries and failover, and surfaces delivery errors in plain language.

Reply-code definitions per RFC 5321 §4.2.1. Last reviewed Jul 1, 2026. Courier is not affiliated with third-party providers; error behavior may vary by implementation.