Gmail issue: 535 5.7.8 Username and Password not accepted.

_readme.md

The problem

I'm using web-based gmail as my primary email client. I want to use anoter SMTP server to send emails using secondary email address which is managed by GSuite.

GMail offers "Send emails from a different address or alias" feature[1].

Historically it has been possible to use smtp.gmail.com with my GSuite credentials to enable the feature and send emails via my secondary email without problems.

Unfortunately this solution is no longer working properly. It suffers from intermittent "535 5.7.8 Username and Password not accepted." issues. The Internet is full of complains[6][7] with messy answers and without proper solution.

First, don't get side-tracked with fiddling with "less secure apps"

Generally there are two ways how to use smtp.gmail.com (speaking about the secondary email google account, GSuite in my case):

Method 1

1. your account does not have 2FA
2. you use your real login+password
3. and you must have enabled "Use less secure apps" under the account security

Method 2

1. your account does have 2FA enabled
2. you must generate a new app-specific password
3. and you use login+generated password[3][4]

This is causing quite some confusion among users. Anyways, I tested both methods and both are subject of this issue.

My theory

(this is my speculation)

Gmail web-interface uses some backend services to send emails. This is probably some google's cloud so it is not one but many machines in the cloud. When you add a new email via "Send emails from a different address or alias" gmail immediatelly performs a test of the connection and then has to store the credentials for later use.

Note that smtp.gmail.com is another independent service running in the cloud, not related to the "Send emails from a different address or alias" feature of gmail. (smtp.gmail.com may be used by any 3rd party app to send emails via google).

Recently (probaly around April 2020) Google likely deployed more security hardening of smtp.gmail.com. Imagine a more strict black list for abusing computers. So smtp.gmail.com might refuse to communicate with a banned IP. The likely root of the problem is that Google's own computers providing "Send emails from a different address or alias" feature of gmail might get banned.

This would exaplain the random behaviour of the issue:

1. assume Gmail web-interface uses 10 backend computers: C0, C1, C2, ..., C9 to implement the "Send emails from a different address or alias" feature
2. assume none of them is currently banned by smtp.gmail.com
3. your web interface is assigned to work with C0.
4. you are able to setup "Send emails from a different address or alias" with your GSuite login+password, no problem in validating your credentials
5. later some bad actor using gmail web interface behaves in a way which triggers smtp.gmai.com ban, say it happened to be C0 machine
6. later when you try to send an email via gmail web interface, it uses C0, and you get "535 5.7.8 Username and Password not accepted." response back [5]
7. then you go into gmail settings and try to re-enter your password, you will get back "Authentication failed. Please check your username/password and Less Secure Apps...". This leads to a great confusion because your username/password are 100% correct. And you have no idea what "Less Secure Apps" mean, because you already have 2FA enabled, so this option is nowhere to be found. You try to google for some explanation and there is no clear answer. Only partially correct historical pages describing various stages how it worked in the past or confusing pages not related to the issue.
8. anyways, C0 ban is somehow time-limited. So it is possible that during next 24h or so, it starts working again. Or there is a chance your gmail client starts using a different backend computer, say C1 because of rotation.
9. so the feature now started working again...
10. ...until it stops again - because some other backend computer got banned and your gmail web client happened to be using it.

This also explains why some people on the forums claim they solved the issue by enabling 2FA, or doing some captcha woodoo with Less Security Apps setting, or by removing and re-adding the email account in "Send emails from a different address or alias" settings.

It was a pure luck or they managed to trigger reassigning of their backend computer, so they luckily got assigned a non-banned machine.

[1] https://support.google.com/mail/answer/22370?hl=en
[3] https://support.google.com/domains/answer/9437157?hl=en
[4]: note that the option to "Use less secure apps" is not available with 2FA enabled  
[5]: note that technically there is no problem in the login/password, the problem is that C0 is banned and smtp.gmail.com refused to talk to it
[6] https://support.google.com/accounts/thread/4520575?hl=en
[7] https://support.google.com/mail/thread/40210887?hl=en

This could help:
https://support.google.com/mail/thread/115926864/send-mail-as-functionality-stopped-working?hl=en&msgid=116151113

Do simple these steps

1. After sign in your google account click on below your photo icon

    "Manage your Google Account"
   

2. then click on "security" tab.

3. Find "How you sign in to Google"

4. Then google need to on "2-Step Verification"

5. After do it by giving your account password. Go to bottom of page and find

   "App passwords"

6. Click on "select app" in my case i select other and giving name "website".

7. The password will be generated, this will be your password for
   configuration of smtp rather than your actual account password.

    config.action_mailer.smtp_settings = {
      :address              => "smtp.gmail.com",
      :port                 => 587,
      :user_name            => '[email protected]',
      :password             => 'google generated password',
      :authentication       => "plain",
      :enable_starttls_auto => true
    }
   

This will sure work!

There is a problem now where you cannot even enable "Use less secure apps" (I don't know why, more safety I guess). Is there any solution to this?

@AngusWheatley we are running into the same issue, any luck on your side?

Do simple these steps

1. After sign in your google account click on below your photo icon

    "Manage your Google Account"
   

2. then click on "security" tab.
3. Find "How you sign in to Google"
4. Then google need to on "2-Step Verification"
5. After do it by giving your account password. Go to bottom of page and find
   "App passwords"
6. Click on "select app" in my case i select other and giving name "website".
7. The password will be generated, this will be your password for
   configuration of smtp rather than your actual account password.

    config.action_mailer.smtp_settings = {
      :address              => "smtp.gmail.com",
      :port                 => 587,
      :user_name            => '[email protected]',
      :password             => 'google generated password',
      :authentication       => "plain",
      :enable_starttls_auto => true
    }
   

This will sure work!

It worked for me!
I created the key in the menu account and instead of using my password I used the generated key to authorize my application!!
Thanks bro!! 👍

This is how I defined my application.yml in spring boot:

  mail:
    host: smtp.gmail.com
    port: 587
    username: ${EMAIL_SENDER_ID}
    password: ${EMAIL_SENDER_PASSWORD}  <- key generated
    properties:
      mail:
        smtp:
          auth: true
          starttls:
            enable: true

I don't see that section you're referring to below

After do it by giving your account password. Go to bottom of page and find
"App passwords"

Do simple these steps

1. After sign in your google account click on below your photo icon

    "Manage your Google Account"
   

2. then click on "security" tab.
3. Find "How you sign in to Google"
4. Then google need to on "2-Step Verification"
5. After do it by giving your account password. Go to bottom of page and find
   "App passwords"
6. Click on "select app" in my case i select other and giving name "website".
7. The password will be generated, this will be your password for
   configuration of smtp rather than your actual account password.

    config.action_mailer.smtp_settings = {
      :address              => "smtp.gmail.com",
      :port                 => 587,
      :user_name            => '[email protected]',
      :password             => 'google generated password',
      :authentication       => "plain",
      :enable_starttls_auto => true
    }
   

This will sure work!

It worked for me! I created the key in the menu account and instead of using my password I used the generated key to authorize my application!! Thanks bro!! 👍

This is how I defined my application.yml in spring boot:

  mail:
    host: smtp.gmail.com
    port: 587
    username: ${EMAIL_SENDER_ID}
    password: ${EMAIL_SENDER_PASSWORD}  <- key generated
    properties:
      mail:
        smtp:
          auth: true
          starttls:
            enable: true

This worked for me. I reinstituted an app password. In fact, I had done that earlier but later on I ended the 2 FA and then I could not receive or send Gmail with Outlook any more.
Thanks!

App password/2FA/2SV is definitely not the solution. It may work in some cases, but as of Oct 2024 less secure apps still work. I am using several Google Workspaces accounts together: I have my own account with my own domain and I'm using 2 other accounts from 2 different domains (these are not managed by me). Sending email through one of these does work (with less secure apps enabled) while the other one has stopped working some time ago. It also has less secure apps enabled. No 2FA on any of these two.

It's an unrelated issue. The difference might be a setting by the Workspace admin but Google doesn't tell you what that setting is. (Note that it's not globally disabling less secure apps, because the setting is there and can be enabled for both accounts.)