SMTP

SMTP Error 530

SMTP error 530 (5.7.0 Authentication Required) means you sent mail without authenticating. Learn the RFC 4954 cause and how to fix it with SMTP AUTH and TLS.

Updated Jul 1, 2026

The short answer

SMTP error 530 means the server refused your command because authentication is required and you haven't authenticated. Per RFC 4954, "530 5.7.0 Authentication required" is returned to MAIL FROM (or other commands) when no valid AUTH has taken place. Fix it by enabling SMTP AUTH and supplying valid credentials over a TLS connection (port 587 with STARTTLS or 465), issuing STARTTLS first if the server demands it.

SMTP error 530 is a permanent (5xx) refusal that means the server will not accept your command until you authenticate. It is defined in RFC 4954 §6 (the SMTP AUTH extension): the 530 5.7.0 Authentication required response "SHOULD be returned by any command other than AUTH, EHLO, HELO, NOOP, RSET, or QUIT when server policy requires authentication in order to perform the requested action and authentication is not currently in force." In practice it almost always fires at MAIL FROM.

What causes SMTP error 530?

RFC 4954 defines a single generic 530 5.7.0 code. The exact trailing text you see is server/vendor-specific wording layered on top of that same code — the RFC itself doesn't separately define a STARTTLS-specific variant or Microsoft's 5.7.57 text. Still, the trailing text tells you which situation you hit:

  • 530 5.7.0 Authentication Required — you never logged in. Your client sent MAIL FROM without a successful AUTH exchange (no credentials, credentials sent for the wrong command, or an AUTH that was skipped). This is what Gmail / Google Workspace returns for unauthenticated submission.
  • 530 5.7.0 Must issue a STARTTLS command first — you tried to authenticate (or send) on a cleartext channel. The server requires the session to be encrypted before it will accept AUTH, so your plaintext attempt is rejected.
  • 530 5.7.57 ... not authenticated to send anonymous mail during MAIL FROM — Microsoft 365 / Exchange Online with SMTP AUTH disabled. SMTP AUTH is off by default tenant-wide and must be enabled on the mailbox; see Microsoft's guidance on authenticated client SMTP submission for the enable procedure, and this Microsoft Q&A thread for the exact error text and cause.

Note: 530 is about missing or impossible authentication, not wrong credentials. If you authenticate and the username/password is rejected, you get 535 5.7.8 instead — a different error. 530 is also not a blocklist/IP-reputation error (those surface as 550/554); the older "your IP may be on a blocklist" explanation for 530 is inaccurate.

How do I fix SMTP error 530?

  1. Turn on SMTP authentication in your client/library and supply valid credentials. The session must complete an AUTH LOGIN/AUTH PLAIN exchange before MAIL FROM.
  2. Connect over TLS on a submission port. Use 587 with STARTTLS or 465 with implicit TLS — both are valid per RFC 8314. Don't authenticate on port 25 to a server that requires encryption, and issue STARTTLS first if you see the "Must issue a STARTTLS command first" variant.
  3. Use a provider-correct credential. Personal Gmail accounts lost "Less Secure Apps" access on May 30, 2022. Google Workspace (business) accounts kept it much longer — basic-auth SMTP/IMAP/POP wasn't disabled until enforcement beginning March 14, 2025, with full cutoff by May 1, 2025. Either way, the fix today is the same: use an App Password (requires 2-Step Verification) or OAuth2, not your normal account password.
  4. For Microsoft 365, enable Authenticated SMTP on the mailbox (Microsoft 365 admin center → Active users → mailbox → Manage email apps → Authenticated SMTP). Sending through the tenant's *.mail.protection.outlook.com MX endpoint ("Direct Send") is not a substitute fix for most senders: Direct Send only delivers to recipients inside your own tenant's accepted domains, so it can't reach external recipients — which is what most people hitting 530 are trying to do. It's also being locked down: Microsoft is rolling out RejectDirectSendEnabled, which rejects Direct Send by default for new tenants starting in early 2026 as an anti-spoofing measure. For external mail, enabling Authenticated SMTP is the correct fix.

Example with Nodemailer (note auth plus a secure port):

const transport = nodemailer.createTransport({
host: "smtp.example.com",
port: 587, // STARTTLS; use 465 with secure:true for implicit TLS
secure: false,
requireTLS: true, // refuse to send if the channel can't be encrypted
auth: { user: process.env.SMTP_USER, pass: process.env.SMTP_PASS },
});

If you're sending through Courier, configure your email provider's SMTP credentials in the Courier provider settings so the authenticated submission is handled for you.

FAQ

Common questions

530 (5.7.0) means the server never reached an authenticated state — either you never attempted AUTH, or your AUTH attempt was rejected before credentials were evaluated (for example, missing STARTTLS). 535 (5.7.8) means credentials were submitted and evaluated, then rejected as invalid. 530 = no successful login reached; 535 = bad login.

One API, every provider

Stop debugging raw provider errors

Courier connects to your email, SMS, and push providers, handles retries and failover, and surfaces delivery errors in plain language.

Reply-code definitions per RFC 4954 §6 (generic 530 5.7.0 code; STARTTLS and vendor-specific trailing text, e.g. Microsoft's 5.7.57, are not separately defined by the RFC); RFC 3463 (5.7.0). Last reviewed Jul 1, 2026. Courier is not affiliated with third-party providers; error behavior may vary by implementation.