SMTP
SMTP 538 5.7.11 means the server refuses AUTH on an unencrypted connection. Enable STARTTLS on port 587 or implicit TLS on port 465 before authenticating.
Updated Jul 1, 2026
The short answer
SMTP 538 (enhanced status 5.7.11, "Encryption required for requested authentication mechanism") means the server refused your AUTH command because you tried to authenticate over an unencrypted connection. The fix is on the client: enable TLS before authenticating, either via STARTTLS on port 587 or implicit TLS on port 465, then resend AUTH.
SMTP reply code 538 carries the enhanced status code 5.7.11 and the text "Encryption required for requested authentication mechanism." It is a permanent (5xx) failure returned in response to the AUTH command, defined in RFC 4954 §6. It means the server will not let you authenticate over a plaintext (unencrypted) connection.
The server received your AUTH command (for example AUTH LOGIN or AUTH PLAIN) on a connection that is not protected by TLS. Mechanisms like PLAIN and LOGIN transmit credentials in the clear, so servers refuse them unless an encryption layer is already active. Per RFC 4954, the code signals that "the selected authentication mechanism may only be used when the underlying SMTP connection is encrypted."
Typical triggers:
AUTH without first upgrading to TLS.STARTTLS before AUTH.AUTH ran.Note: RFC 4954 explicitly deprecates sending 538 — it is "documented here for historical purposes only," and modern servers SHOULD instead simply not advertise plaintext mechanisms until encryption is active. If you receive a live 538, you are talking to a server that still uses the older behavior, but the corrective action is the same.
The fix is on the client side — establish encryption before you authenticate. You almost never need to contact the server admin.
STARTTLS upgrades it to TLS before AUTH).Avoid plain port 25 for authenticated submission.
Turn on TLS/SSL in your mail client. In Outlook, Thunderbird, etc., set the outgoing (SMTP) encryption to STARTTLS (port 587) or SSL/TLS (port 465) rather than "None."
Order STARTTLS before AUTH in code. Ensure your library negotiates TLS first. Examples:
Python smtplib (STARTTLS):
import smtplib, ssls = smtplib.SMTP("smtp.example.com", 587)s.ehlo()s.starttls(context=ssl.create_default_context()) # encrypt BEFORE logins.ehlo()s.login(user, password)
Nodemailer (implicit TLS on 465):
const transport = nodemailer.createTransport({host: "smtp.example.com",port: 465,secure: true, // implicit TLS; use false + requireTLS:true for 587/STARTTLSauth: { user, pass },});
Use the correct credentials for the provider. For personal Gmail accounts, "Less Secure Apps" access was removed on May 30, 2022 — use an App Password (with 2-Step Verification enabled) or OAuth2. Google Workspace accounts followed a separate, later timeline: the admin-console LSA setting was removed in phases, with full enforcement (no LSA, password-only sign-in disabled) landing by May 2025. Either way, send credentials over TLS on port 587 or 465.
If TLS is enabled but still failing, the handshake may be falling back to plaintext. Update your client/library and OpenSSL so a modern TLS version (1.2+) and cipher are offered, then retry.
After enabling encryption and re-issuing AUTH, the login should succeed.
References
FAQ
No. 530 5.7.0 ("Authentication required" or "Must issue a STARTTLS command first") means the server wants authentication or STARTTLS before accepting mail. 538 5.7.11 specifically means you tried to authenticate using a mechanism that is only permitted over an encrypted connection. Both are resolved by enabling TLS, but they are distinct reply codes.
One API, every provider
Courier connects to your email, SMS, and push providers, handles retries and failover, and surfaces delivery errors in plain language.
Reply-code definitions per RFC 4954 §6 (538 5.7.11). Last reviewed Jul 1, 2026. Courier is not affiliated with third-party providers; error behavior may vary by implementation.
© 2026 Courier. All rights reserved.