Gmail SMTP at a glance
Gmail's SMTP server is smtp.gmail.com. Send on port 587 with STARTTLS, or port 465 with implicit SSL/TLS. Both work. The submission daily cap on the standard authenticated server is 2,000 messages per 24 hours. Workspace tenants can also use smtp-relay.gmail.com on the same ports for IP-authenticated relay up to 10,000 recipients per user per day.
The single most important thing to understand about Gmail SMTP in 2026 is that you cannot use your Google account password directly. Less Secure App Access was retired in 2022. If two-step verification is on (and it should be), every SMTP client either authenticates with an App Password or with full OAuth 2.0. There is no third option that Google's authenticated SMTP server still accepts.
Step-by-step Gmail SMTP setup
Configuring Gmail in any standard email client takes about four minutes once you have an App Password in hand. The fields below match the labels in Outlook, Apple Mail, Thunderbird, mobile mail apps, and most line-of-business applications.
1. Enable two-step verification
Open myaccount.google.com/security and turn on 2-Step Verification if it isn't already. Without it, the App Password screen won't appear and you won't be able to authenticate against smtp.gmail.com at all.
2. Generate an App Password
Go to myaccount.google.com/apppasswords, name the app something descriptive (the device or sequencer name), and Google produces a 16-character password. Copy it. You won't see it again, and Google does not let you rename it later. Each connected client should get its own App Password so you can revoke individually.
3. Configure outgoing mail
- SMTP server:
smtp.gmail.com - Port:
587(recommended) - Encryption: STARTTLS
- Authentication: required
- Username: your full Gmail address
- Password: the 16-character App Password from step 2
If your client doesn't support STARTTLS but does support implicit SSL, switch to port 465 instead. The hostname and credentials don't change. Avoid port 25 entirely. Most consumer ISPs block outbound port 25 because it's reserved for server-to-server SMTP, not client submission, and Gmail's submission server doesn't accept it from arbitrary clients anyway.
4. Configure incoming IMAP (optional)
If you also want the client to read the inbox, set IMAP to imap.gmail.com on port 993 with SSL/TLS. Same username, same App Password. Enable IMAP first under Gmail Settings → Forwarding and POP/IMAP, otherwise the client will connect but show no folders. POP3 is pop.gmail.com on port 995, but unless you have a specific reason to use POP, IMAP is the right choice.
5. Send a test message
Send a one-line test from the client to a different mailbox you control. Confirm the message arrives, the From address is correct, and headers show authentication passing (SPF, DKIM, DMARC all aligned). If any of those fail, the issue is almost always one of: wrong password, App Password not generated, 2FA not enabled on the account, or the client trying port 25 silently.
OAuth vs. App Password — which to use
App Passwords are simple and they work, but they're a long-lived static credential. If a device is lost or compromised, that App Password keeps working until you manually revoke it. For automated systems, OAuth 2.0 is the cleaner pattern: the SMTP client uses an access token, the token rotates on a short schedule, and revocation happens centrally via the Google Cloud console.
For a single user configuring Outlook on a laptop, App Password is fine. For a server-side application sending mail from a mailbox, OAuth is the right answer. The XOAUTH2 SASL mechanism is what smtp.gmail.com expects — your application requests a token with the https://mail.google.com/ scope, then sends an AUTH XOAUTH2 command with the base64-encoded token in place of a password.
The smtp.gmail.com vs smtp-relay.gmail.com decision
Workspace administrators have a second option that personal Gmail users don't: the SMTP relay service at smtp-relay.gmail.com. Same ports (25, 465, 587), same encryption options, but authentication is by IP address rather than per-mailbox credentials. The cap rises from 2,000 messages per day to 10,000 recipients per user per day, and the relay can send from any address on a verified domain in the Workspace tenant.
Use smtp.gmail.com when:
- You're configuring a single mailbox client (Outlook, Apple Mail, mobile)
- The application authenticates as a specific user with their credentials
- Volume is well under 2,000 messages per day
Use smtp-relay.gmail.com when:
- You're an administrator routing mail from a printer, scanner, or LOB application
- You can pin the source to a static public IP that you'll allowlist in the Admin console
- You need to send from multiple addresses on the domain rather than just the authenticated mailbox
The third option, the restricted Gmail SMTP server at aspmx.l.google.com on port 25, is for legacy devices that can't do TLS. It only delivers to Gmail and Workspace recipients on the same domain. Useful for an old multifunction printer scanning to internal addresses; useless for anything else.
Common Gmail SMTP errors and what they actually mean
Most of the support tickets that look like Gmail SMTP problems are credential problems wearing a TLS costume. Three patterns cover roughly 90% of them.
535-5.7.8 Username and Password not accepted. You're sending the regular account password instead of an App Password, or the App Password got mistyped. Generate a fresh one and paste rather than retype. The 16 characters Google shows include spaces for readability; the spaces are not part of the password.
Daily sending quota exceeded. You hit 2,000 messages in 24 hours. Wait. Or, if you're on Workspace and this is sustained, move to smtp-relay.gmail.com. There is no way to raise the cap on the personal authenticated server.
Connection timed out on port 25. Your network blocks 25 outbound. Switch to 587 or 465. If those also fail, the network is blocking outbound submission entirely, which is common on hotel and airport Wi-Fi.
Gmail SMTP for cold email — the honest answer
Gmail's authenticated SMTP server is excellent for what it's designed for: a single human sending personal and small-business mail. It's a bad fit for cold outreach at any meaningful volume, for three reasons that all stack on each other.
First, the cap. Two thousand messages per day per mailbox sounds like a lot until you do the math on a real campaign. A modest cold-email program targets 30-50 sends per day per inbox to look like normal business activity, with at least 20-30 inboxes in rotation across multiple domains. You don't get there with one Gmail account.
Second, the reputation surface. Gmail evaluates sender reputation per domain. Cold outreach from your primary business domain puts customer service, billing, and exec communications on the same reputation that a few unreplied cold emails are slowly tanking. One bad week of cold email and your billing receipts start landing in spam.
Third, warmup. Gmail's algorithms expect normal back-and-forth conversational patterns. A new mailbox blasting 30 cold messages a day looks exactly like a hijacked account. The fix is the 2:1 warmup ratio: for every cold email, two warmup emails go out from the same inbox to keep positive engagement signals dominant. That happens inside your sequencer — Smartlead, Instantly, EmailBison, PlusVibe — not inside Gmail.
The right pattern for cold email is many sending domains, two Workspace inboxes per domain, low daily volume per inbox, sequencer-managed warmup, and reputation isolated from your primary domain. ScaledMail provisions and monitors that infrastructure as a managed service. Gmail SMTP is what you set up for the marketing director's laptop. It's not what you set up for an outbound program.