Microsoft cloud

Office 365 SMTP Settings

Office 365 (now branded Microsoft 365) uses smtp.office365.com on port 587 with STARTTLS. SMTP AUTH is disabled by default for tenants created after January 2020 and must be enabled per mailbox.

Last verified 2026-05-05

Office 365 SMTP, IMAP, and POP3 settings diagram

Quick reference

ProtocolServerPortEncryption
SMTP (outgoing)smtp.office365.com587STARTTLS (TLS 1.2+)
IMAP (incoming)outlook.office365.com993SSL/TLS
POP3 (incoming)outlook.office365.com995SSL/TLS
Outbound SMTP runs on port 587 with STARTTLS (TLS 1.2+), incoming IMAP on port 993 with SSL/TLS, POP3 on port 995 with SSL/TLS.Your clientOutlook, Apple Mail,sequencer, appSMTP submission · port 587STARTTLS (TLS 1.2+)IMAP fetch · port 993SSL/TLSPOP3 fetch · port 995SSL/TLSOffice 365smtp.office365.comoutlook.office365.comLast verified 2026-05-05 · scaledmail.com
Office 365 mail submission and retrieval ports.

Office 365 SMTP at a glance

Office 365 uses smtp.office365.com on port 587 with STARTTLS. Authentication is per-mailbox with TLS 1.2 or TLS 1.3 required. There is no port 465 option, no IP-authenticated submission to this hostname, and Microsoft is actively retiring Basic Authentication in favor of OAuth 2.0.

If you're reading this because a printer or app is failing against Office 365, the issue is almost never the hostname. It's one of three things: SMTP AUTH is disabled on the mailbox, Basic Auth is blocked at the tenant level, or the device can't negotiate TLS 1.2. Microsoft renamed the product to Microsoft 365 in 2020, but the SMTP host stayed smtp.office365.com, so older documentation still applies to the server side even if the brand has moved on.

Step-by-step Office 365 SMTP setup

Most Office 365 SMTP setup work happens in two places: the device or app you're configuring, and the Exchange admin center where you flip the per-mailbox SMTP AUTH toggle.

1. Confirm SMTP AUTH is enabled on the mailbox

Office 365 disables SMTP submission by default for tenants created after January 2020. Sign in to the Microsoft 365 admin center, go to Users → Active users, pick the mailbox, then Mail → Manage email apps. The Authenticated SMTP toggle has to be on. The PowerShell equivalent is Set-CASMailbox -Identity user@yourdomain.com -SmtpClientAuthenticationDisabled $false.

You can also set this at the organization level with Set-TransportConfig -SmtpClientAuthenticationDisabled $false, but per-mailbox is the better pattern. Granting SMTP AUTH globally exposes every mailbox in the tenant to client submission and the credential-spray attempts that come with it.

2. Configure the device or application

  • SMTP server: smtp.office365.com
  • Port: 587
  • Encryption: STARTTLS (TLS 1.2 or higher)
  • Authentication: required
  • Username: the full email address of the mailbox
  • Password: the mailbox password (or, preferably, an OAuth 2.0 access token)

Microsoft's documentation is explicit that if a device defaults to port 465, it doesn't support a TLS version Office 365 accepts. The submission server only listens on 587, and only with TLS 1.2 or 1.3. Older devices that can't negotiate that are out — there's no workaround on the same host.

3. Configure incoming IMAP or POP3

For Office 365 mailboxes, IMAP runs on outlook.office365.com port 993 with SSL/TLS, and POP3 runs on outlook.office365.com port 995 with SSL/TLS. The same OAuth 2.0 / Modern Auth requirement applies to IMAP and POP3, not just SMTP. Older clients that only do Basic Auth for IMAP will fail the same way they fail for SMTP.

4. Verify the From address has Send As permission

If the application authenticates as one mailbox but sends mail with a different From address, Office 365 returns a 5.7.60 error. The auth account needs explicit Send As permission on the target mailbox. Add it via Exchange admin center or with Add-RecipientPermission. The simpler pattern is to send From the authenticated mailbox itself, which sidesteps the permission question entirely.

5. Test, watch the limits

Authenticated SMTP submission caps at 30 messages per minute and 10,000 recipients per day per mailbox. Recipients are counted, not messages — sending one email to 50 people consumes 50 of your daily allotment. The rate limit applies to sustained throughput; brief bursts above 30/minute are throttled, not refused.

Modern Auth (OAuth 2.0) vs. Basic Auth

Microsoft has been signaling the end of Basic Auth for SMTP submission for years. The current state in 2026 is that Basic Auth still works on a tenant-by-tenant basis, but new tenants block it, Security Defaults block it, and Microsoft's official guidance recommends migrating every device and application to OAuth 2.0.

The migration looks like this: register an application in Microsoft Entra ID, grant it the SMTP.Send delegated permission (or the application equivalent for daemon scenarios), have the user or service principal complete the OAuth flow to obtain an access token, and use the token in place of the password with the XOAUTH2 SASL mechanism. The SMTP host and port don't change. Only the authentication step does.

For applications that genuinely cannot move to OAuth, Microsoft now points elsewhere entirely: High Volume Email (HVE) for internal mail, Azure Communication Services Email for external mail. Continuing to rely on Basic Auth SMTP submission is a roadmap risk.

Office 365 SMTP relay vs. Direct Send

Office 365 supports three submission patterns. Knowing which you need saves a lot of debugging.

Client SMTP submission is the per-mailbox auth flow described above. Use this when a device or app needs to send as a real Office 365 user. Counts against that user's 10,000-recipient cap. Works from anywhere on the internet.

SMTP relay uses an inbound connector authenticated by TLS certificate or static public IP. The device connects to your tenant's MX endpoint (something like contoso-com.mail.protection.outlook.com) on port 25. Higher caps, no per-mailbox auth, but you need a static IP and a connector configured in Exchange admin. Right answer for high-volume LOB applications.

Direct Send is anonymous submission to your tenant's MX endpoint on port 25, no auth at all. Only delivers to recipients in your own accepted domains. Useful for legacy printers scanning to internal addresses, useless for anything that needs to reach outside the org.

Common Office 365 SMTP errors

Office 365 returns enhanced status codes that are more specific than generic SMTP responses, and they tell you exactly what to fix once you know the pattern.

5.7.57 Client not authenticated to send mail. SMTP AUTH is disabled on the mailbox or at the tenant level. Enable it per the step above. This is the single most common Office 365 SMTP error in 2026 because Microsoft made it default-off for new tenants.

5.7.60 Client doesn't have permissions to send as this sender. The authenticated mailbox is trying to send From a different address. Either change the From, or grant Send As permission on the target mailbox.

5.7.708 Access denied, traffic not accepted from this IP. Your IP is on a Microsoft-side reputation block. This usually means a previous tenant on the IP burned reputation; less commonly, your tenant is sending patterns that look like compromise. Submit a delisting request via the Office 365 anti-spam IP delist portal.

4.7.500 Server busy. Throttling. You're above the per-minute cap. Back off, retry with exponential delay, and reconsider whether mailbox-based submission is the right pattern for this workload.

Office 365 SMTP for cold email — the honest answer

Office 365 mailboxes are a perfectly reasonable origin for cold outbound. The 10,000-recipient daily cap per mailbox is more than enough for low-volume-per-inbox cold email patterns. Microsoft 365 reputation is strong. Authentication, with Modern Auth, is clean.

The catch is the same one that applies to any cold-email infrastructure decision: you don't run cold outbound from your primary business tenant. One bad campaign, one filter complaint cascade, and the reputation hit lands on the same domain your internal mail and customer billing run on. The standard pattern is a separate tenant, separate domains, separate inboxes, all isolated from the production business identity.

Inside that separate tenant, the right configuration is two to three inboxes per sending domain, 5 to 10 cold messages per day per inbox during ramp, scaling to 15-25 cold per day after the 14-day warmup period. Warmup itself runs in your sequencer (Smartlead, Instantly, EmailBison, PlusVibe), where the engagement and send-pattern data lives. The 2:1 warmup-to-cold ratio (two warmup emails for every one cold email) holds forever, not just during initial ramp.

That's the infrastructure ScaledMail provisions and monitors as a service. smtp.office365.com on port 587 is the right host. The wrong move is pointing it at your production tenant.

Five-step SMTP submission flow against smtp.office365.com: EHLO, STARTTLS, AUTH, mail transaction, QUIT.SMTP submission flow · smtp.office365.com:587OAuth 2.0 (Modern Auth) recommended; Basic Auth deprecatedClientsmtp.office365.com1. EHLOClient says hello, advertises capabilities2. STARTTLSUpgrade plaintext to encrypted channel3. AUTH XOAUTH2Send OAuth bearer token4. MAIL FROM / RCPT TO / DATAEnvelope, recipients, message body5. QUITClose the session cleanlyscaledmail.com — verified 2026-05-05
Authentication and submission flow for Office 365.

Troubleshooting common errors

5.7.57 Client not authenticated to send mail

SMTP AUTH is disabled on the mailbox. In Exchange admin → Mailboxes → the mailbox → Manage email apps, enable Authenticated SMTP. Or run Set-CASMailbox -Identity user@domain.com -SmtpClientAuthenticationDisabled $false.

5.7.60 Client doesn't have permissions to send as this sender

Your authenticated mailbox isn't the From address on the message. Either send as the authenticated mailbox, or grant Send As permission to the auth account on the target mailbox.

TLS handshake failure

smtp.office365.com requires TLS 1.2 or 1.3. Older clients negotiating TLS 1.0/1.1 will fail. Update the client or library, or switch to a connector-based SMTP relay if the device cannot be upgraded.

Cannot use port 465

Microsoft 365 does not accept SMTP submission on port 465. The only supported SMTP AUTH port is 587 with STARTTLS. If your device defaults to 465, it likely doesn't support a TLS version Microsoft 365 accepts.

Throttled at 30 messages/minute

Per-mailbox SMTP submission is rate-limited. For higher throughput, use SMTP relay with a connector, HVE for internal mail, or a transactional email service.

Frequently asked questions

What is the Office 365 SMTP server address?+

Office 365's SMTP server is smtp.office365.com. The submission port is 587 with STARTTLS (TLS 1.2+).

Which port should I use for Office 365 SMTP — 587 or 465?+

Use 587 with STARTTLS (TLS 1.2+). Port 25 is for server-to-server SMTP and is usually blocked by ISPs for client submission.

Do I need an app password for Office 365?+

Office 365 does not require app passwords for SMTP submission. Microsoft is retiring Basic authentication for client SMTP submission. Use OAuth where the client supports it. SMTP AUTH must be explicitly enabled on the mailbox (Set-CASMailbox -SmtpClientAuthenticationDisabled $false) for tenants created after January 2020.

What is the Office 365 sending limit?+

10,000 recipients per day Throttling caps at 30 messages per minute. Recipients are counted, not messages — sending one email to 50 people consumes 50 of your 10,000. For bulk transactional volume, Microsoft now points to High Volume Email (HVE) for internal mail or Azure Communication Services Email for external.

Can I use Office 365 SMTP for cold email outbound?+

For any cold-email volume, no. Office 365's SMTP submission is built for transactional and personal use, with daily caps and shared reputation that work against you the moment volume scales. Cold outbound belongs on dedicated mailboxes (Google Workspace or Microsoft 365) on separate sending domains, with proper warmup and a real sequencer — not on a relay through a personal or hosting mailbox.

Is smtp.office365.com the right host for cold email?+

It's the right host if you're configuring a normal email client to send personal or transactional mail. It's the wrong host for cold outreach at scale. Cold-email infrastructure is many domains × many low-volume inboxes × a sequencer enforcing 2:1 warmup-to-cold ratio — not a single SMTP relay or mailbox pushing thousands of cold messages a day.

Setting this up for cold outreach? Stop.

smtp.office365.com is the right answer for personal mail, transactional notifications, and small-scale business sending. It is the wrong answer for cold email at any volume — a single mailbox or relay routing hundreds of cold messages a day burns reputation, hits hard caps, and gets you spam-foldered before the campaign even gets a fair test.

Cold email at scale is many domains × many low-volume inboxes × a 2:1 warmup-to-cold ratio enforced inside your sequencer. ScaledMail provisions and monitors that infrastructure on real Google Workspace and Microsoft 365 mailboxes, on dedicated sending domains, isolated from your primary business domain. You connect it to Smartlead, Instantly, EmailBison, or PlusVibe and let the sequencer handle warmup and sends.

Book a call about cold-email infrastructureSee ScaledMail pricing

Other SMTP provider guides

Gmail SMTP settings
smtp.gmail.com:587
Microsoft 365 SMTP settings
smtp.office365.com:587
Outlook.com SMTP settings
smtp-mail.outlook.com:587
GoDaddy SMTP settings
smtpout.secureserver.net:465
All SMTP settings →
Complete reference table

Verified against official sources