SMTP AUTH Deprecation (2026): Fix Exchange Online Email Sending Errors
Microsoft is deprecating Basic Authentication for SMTP AUTH in Exchange Online. When it’s disabled, applications and devices that send mail using username/password over SMTP stop working — you get authentication errors and email sending breaks. This guide explains the common errors, how to check your tenant, and how to fix or migrate.
Read-only checks · No email sending · No DNS changes
Table of Contents
Quick diagnosis (2 minutes)
- Confirm the sender uses SMTP AUTH (not Graph/API).
- Check tenant setting:
SmtpClientAuthenticationDisabled. - Check mailbox setting:
SmtpClientAuthenticationDisabled. - If you see 535 5.7.3, assume Basic Auth is blocked or misconfigured.
- Prefer Modern Auth / provider API for long-term stability.
Common error messages
These are among the most common search queries when SMTP AUTH breaks. They usually indicate that Basic Auth for SMTP is disabled or being phased out:
- 535 5.7.3 Authentication unsuccessful — The server rejected the SMTP AUTH credentials. Often means Basic Auth for SMTP is disabled for the mailbox or tenant.
- 5.7.57 Client not authenticated — The client tried to send without successful authentication. Common when SMTP AUTH is turned off.
- Basic authentication is disabled — Microsoft has disabled Basic Auth for the protocol (here, SMTP). You need Modern Auth (OAuth) or an alternative sending path.
- SMTP AUTH disabled for tenant — Tenant-wide setting:
SmtpClientAuthenticationDisabledis true, so SMTP AUTH is blocked for the organization.
Common SMTP AUTH errors — what they mean and how to fix them
| Error | Likely cause | What to do |
|---|---|---|
| 535 5.7.3 Authentication unsuccessful | Basic Auth blocked / wrong auth method | Move to Modern Auth (OAuth) or confirm SMTP AUTH is enabled for mailbox |
| 5.7.57 Client not authenticated | SMTP AUTH disabled tenant-wide or mailbox | Check tenant + mailbox SMTP AUTH flags |
| Basic authentication is disabled | Basic Auth deprecation enforcement | Migrate sending method (OAuth / relay / provider API) |
| SMTP AUTH disabled for tenant | Org setting disabled | Validate TransportConfig + update policy where appropriate |
Best-effort guidance; your environment may vary.
Fix SMTP AUTH errors by exact message
550 5.7.30 Basic authentication is not supported for Client Submission
This means Basic Auth (username/password) is blocked for client submission in Exchange Online. Only OAuth/Modern Auth or other supported paths are accepted.
- Move to OAuth/Modern Auth client submission (preferred).
- Use SMTP relay (if allowed) or a provider API.
- Validate tenant + mailbox SMTP AUTH settings.
Who this usually affects: printers/MFPs, legacy apps, scripts.
535 5.7.3 Authentication unsuccessful
Common causes: wrong password, SMTP AUTH disabled for the mailbox or tenant, MFA without app password, or Basic Auth blocked by policy.
- Use app passwords if MFA is required and the app supports it.
- Enable SMTP AUTH per mailbox temporarily (see table above) while you plan migration.
- Move to OAuth/Modern Auth for a long-term fix.
5.7.57 Client not authenticated
The client tried to send without successful authentication — often due to auth policy or SMTP AUTH disabled.
- Verify tenant setting and mailbox overrides for SMTP AUTH.
- Prefer OAuth/Modern Auth where supported.
Scan to email: migrating printers off SMTP AUTH Basic Auth
When Basic Auth is removed, devices that use username/password for SMTP stop working. For scan to email SMTP AUTH OAuth Microsoft migration, and for printer SMTP OAuth Microsoft 365 Exchange Online scenarios, you need a path that doesn’t rely on Basic Auth.
What breaks: the device connects to smtp.office365.com (or similar) with a username and password; once Microsoft turns off Basic Auth for that tenant or mailbox, the connection is rejected.
Paths that work:
- Use vendor-supported OAuth2 for SMTP if the device supports it.
- Use an internal relay that authenticates with OAuth upstream to Exchange Online.
- Use a transactional provider SMTP/API for scan-to-email so the device sends to your relay or API instead of Exchange.
Many MFPs don’t support OAuth2 SMTP; relay or a third-party sending path is common.
What is SMTP AUTH Basic Auth?
SMTP AUTH is the method clients use to authenticate to an SMTP server (e.g. Exchange Online) before sending mail. "Basic Auth" means sending a username and password over the connection. Microsoft is removing Basic Auth for SMTP (and other protocols) because it’s less secure than Modern Authentication (OAuth 2.0). Once Basic Auth is disabled, any app or device that only knows how to send username/password will start failing with errors like 535 5.7.3.
How to check if SMTP AUTH is disabled
In Exchange Online (PowerShell), you can check tenant-wide and per-mailbox settings:
Tenant-wide (affects all mailboxes unless overridden):
Get-TransportConfig | Format-List SmtpClientAuthenticationDisabled
Per-mailbox (for a specific user):
Get-CASMailbox user@domain.com | Format-List SmtpClientAuthenticationDisabled
If SmtpClientAuthenticationDisabled is True at the tenant or mailbox level, SMTP AUTH is disabled. Per-mailbox can override tenant default in some configurations.
Check which apps are using SMTP AUTH Microsoft 365
"Client submission" means mail sent by clients (apps, devices, scripts) directly to Exchange Online over SMTP (e.g. smtp.office365.com). To see what’s using it, use the SMTP AUTH Clients Submission Report Exchange Online and your own inventory.
- Check mail client and app configs for smtp.office365.com (or equivalent) usage.
- Identify service accounts used for SMTP (scanners, scripts, legacy apps).
- Review tenant SMTP AUTH settings and per-mailbox overrides.
Microsoft provides reporting and visibility in the admin center; check the latest docs for the exact report name and location.
How to fix
Recommended: Migrate to OAuth / Modern Auth. For how to migrate SMTP AUTH to OAuth Microsoft 365, use Microsoft Graph or SMTP AUTH with OAuth 2.0 so your app or device uses tokens instead of a password. For an OAuth2 SMTP Exchange Online setup guide, see Microsoft’s official docs and your app or device vendor. This is the long-term fix and what Microsoft supports going forward.
Temporary: Enable SMTP AUTH per mailbox. Only if you need time to migrate, you can re-enable Basic Auth for specific mailboxes (when allowed by tenant policy). In PowerShell:
Set-CASMailbox -Identity user@domain.com -SmtpClientAuthenticationDisabled $false
Alternative: Change how you send. Use a transactional email provider (SendGrid, Mailgun, Resend, etc.), an SMTP relay that supports Modern Auth, or an API (e.g. Microsoft Graph) instead of legacy SMTP AUTH. That avoids dependency on Basic Auth entirely.
Enabling SMTP AUTH again is not future-proof — Microsoft is deprecating Basic Auth. Plan to move to OAuth or another sending path.
SMTP AUTH Basic auth removal date Microsoft 365
Dates and timelines can change; always verify in the official Microsoft Basic Auth deprecation documentation. The SMTP AUTH Basic Auth removal April 2026 and related deadlines are part of a broader deprecation. Basic Auth SMTP Office365 deprecated means many tenants already see the Microsoft 365 end Basic Auth SMTP error when Basic Auth is turned off. Legacy app SMTP AUTH deprecation Microsoft is the same story: plan migration to OAuth or another sending path rather than relying on Basic Auth long term.
How this impacts deliverability
If SMTP AUTH is disabled, mail may not send at all — so SPF and DMARC can be correct and you still see failures. Monitoring your domain (SPF, DMARC, blacklist status) helps you spot posture and configuration issues early. Run a free deliverability scan, check blacklist status, verify DMARC configuration and SPF records, and use our email deliverability checklist to keep DNS and policy in good shape alongside any SMTP AUTH migration.
FAQ
Does Microsoft still allow SMTP AUTH?
SMTP AUTH as a capability is still supported. Basic Authentication (username/password) for SMTP is being deprecated. Microsoft supports SMTP AUTH with OAuth 2.0 (Modern Auth) for supported clients and scenarios.
Is SMTP AUTH the same as SMTP relay?
No. SMTP AUTH is the method used to authenticate to an SMTP server. SMTP relay usually means a server that accepts and forwards mail (e.g. for scanners or apps). A relay can use SMTP AUTH for authentication; when Basic Auth is disabled, the relay client must use OAuth or another supported method.
Will this affect on-prem Exchange?
The deprecation applies to Exchange Online (Microsoft 365). On-premises Exchange is under your control; you can still enable or disable SMTP AUTH and Basic Auth per your own policy. Hybrid setups may be affected if mail flows through Exchange Online and uses Basic Auth there.
What is the alternative to SMTP AUTH?
For Exchange Online, the recommended alternative is SMTP AUTH with OAuth 2.0 (Modern Auth), or sending via Microsoft Graph API. Alternatively, use a third-party transactional provider or SMTP relay that supports OAuth or API-based sending so you don’t rely on Basic Auth.
What does error 535 5.7.3 mean?
535 5.7.3 Authentication unsuccessful means the server rejected the credentials provided during SMTP AUTH. In Exchange Online, this often means Basic Auth for SMTP is disabled for that mailbox or tenant, or the account is blocked from SMTP AUTH.
Do I need DKIM/SPF/DMARC for this?
SMTP AUTH is about authenticating to the outbound server so you can send. DKIM, SPF, and DMARC are about domain authentication and policy for the mail that gets sent. You need both: working SMTP AUTH (or another sending path) so mail goes out, and correct SPF/DMARC so receivers trust it. Use our DMARC and SPF guides and a free scan to verify DNS and policy.
What does "550 5.7.30 Basic authentication is not supported for Client Submission" mean?
It means Exchange Online is rejecting Basic Auth (username/password) for client submission. You must use OAuth/Modern Auth, an SMTP relay, or a provider API instead.
How do I migrate SMTP AUTH to OAuth in Microsoft 365?
Use Microsoft Graph or SMTP AUTH with OAuth 2.0 so your app uses tokens instead of a password. Enable Modern Auth in the tenant and configure the app or device for OAuth; see our How to fix section for options.
Why do printers break with SMTP AUTH deprecation?
Many printers and MFPs only support Basic Auth (username/password) for scan-to-email. When Microsoft disables Basic Auth for SMTP, those devices can no longer authenticate. Use vendor OAuth2 if supported, an internal relay, or a transactional provider.
Related searches this guide answers
- 550 5.7.30 Basic authentication is not supported for Client Submission
- Basic Auth SMTP Office365 deprecated
- Microsoft 365 end Basic Auth SMTP error
- SMTP AUTH Basic Auth removal April 2026
- How to migrate SMTP AUTH to OAuth Microsoft 365
- Check which apps are using SMTP AUTH Microsoft
- SMTP AUTH Clients Submission Report Exchange Online
- OAuth2 SMTP Exchange Online setup guide
- scan to email SMTP AUTH OAuth Microsoft
- printer SMTP OAuth Microsoft 365 Exchange Online
- SMTP AUTH Basic auth removal date Microsoft 365
- Legacy app SMTP AUTH deprecation Microsoft
Run a free scan · Guides · Blacklist checker · DMARC checker · SPF checker · Deliverability checklist
If you'd like an automated SMTP AUTH diagnostic tool, join the waitlist.