Gmail SMTP Server Settings for Sending Email
Gmail's SMTP server lets you send email through Google's infrastructure from third-party email clients, WordPress sites, CRM systems, and custom applications. Whether you are configuring Thunderbird, setting up a contact form, or integrating with a marketing tool, the SMTP settings are the same.
Gmail SMTP Configuration Reference
| Setting | Value |
|---|---|
| SMTP Server | smtp.gmail.com |
| Port (TLS/STARTTLS) | 587 |
| Port (SSL) | 465 |
| Authentication | Required |
| Username | Your full Gmail address |
| Password | App Password (see below) |
| Encryption | TLS (port 587) or SSL (port 465) |
For Google Workspace accounts, the server and ports are identical. The username is your Workspace email address ([email protected]).
TLS vs. SSL: Which Port to Use
Port 587 with STARTTLS is the recommended configuration per RFC 6409 (Message Submission). The connection starts unencrypted and upgrades to TLS during the SMTP handshake. Most modern email clients and applications default to this.
Port 465 with implicit SSL establishes an encrypted connection immediately. While this port was briefly deprecated, it has been reassigned for message submission with implicit TLS (RFC 8314). Both options are secure; port 587 is more widely supported.
Avoid port 25, which is intended for server-to-server relay and is blocked by most ISPs for end-user connections.
Authentication: App Passwords
Google requires two-factor authentication (2FA) on accounts and no longer supports plain password authentication for third-party apps. The "Less Secure Apps" option was fully deprecated in 2022.
To authenticate with SMTP, generate an App Password:
- Go to your Google Account at myaccount.google.com.
- Navigate to Security > 2-Step Verification (must be enabled first).
- At the bottom of the 2-Step Verification page, find App passwords.
- Select the app type (Mail) and device, then click Generate.
- Google displays a 16-character password. Use this in place of your regular password in SMTP configuration.
App Passwords bypass 2FA for that specific application without reducing your account security.
For Google Workspace accounts, administrators must ensure that "Less secure app access" is not required and that App Passwords or OAuth 2.0 are available to users. Some Workspace configurations may restrict App Password generation -- check the Admin console under Security > Authentication.
OAuth 2.0 Authentication
Applications that support OAuth 2.0 can authenticate with Gmail's SMTP server without App Passwords. This is the preferred method for production applications and services because tokens can be scoped and revoked independently.
OAuth 2.0 SMTP authentication uses the XOAUTH2 SASL mechanism. The application exchanges an OAuth access token during the SMTP AUTH command. Implementation requires registering your application with the Google Cloud Console and obtaining OAuth credentials.
Sending Limits
Gmail enforces sending limits to prevent abuse:
| Account Type | Daily Limit |
|---|---|
| Free Gmail (@gmail.com) | 500 messages/day |
| Google Workspace | 2,000 messages/day |
These limits apply across all sending methods (web interface, SMTP, API). Exceeding them results in temporary sending blocks, typically lasting 1 to 24 hours.
Additional constraints:
- Maximum 500 recipients per message.
- Messages cannot exceed 25 MB (including attachments and encoding overhead).
- Rapid sending in short bursts may trigger rate limiting before the daily cap is reached.
For bulk email (newsletters, marketing campaigns), Gmail SMTP is not appropriate. Use a dedicated email service provider (ESP) like SendGrid, Mailgun, or Amazon SES, which are designed for high-volume sending and provide dedicated IP addresses and reputation management.
SPF Considerations
When you send through smtp.gmail.com, the sending IP belongs to Google. Your domain's SPF record must authorize Google's mail servers:
@ TXT "v=spf1 include:_spf.google.com ~all"
If you are using a custom domain with Google Workspace, this is part of the standard setup. For free Gmail accounts sending through SMTP, messages are sent as your @gmail.com address, and Google's SPF record covers authentication automatically.
Verify your SPF record with the InboxTooling SPF Check.
Configuring Common Applications
WordPress (WP Mail SMTP Plugin)
- Mailer: Other SMTP
- SMTP Host:
smtp.gmail.com - Encryption: TLS
- Port: 587
- Authentication: On
- Username: your Gmail address
- Password: your App Password
Thunderbird
- Outgoing Server:
smtp.gmail.com - Port: 587
- Connection Security: STARTTLS
- Authentication: OAuth2 or Normal password (with App Password)
Python (smtplib)
import smtplib
server = smtplib.SMTP('smtp.gmail.com', 587)
server.starttls()
server.login('[email protected]', 'your-app-password')
server.sendmail(from_addr, to_addr, message)
server.quit()
Troubleshooting
- "Authentication failed": Ensure you are using an App Password, not your regular Google password. Verify 2FA is enabled.
- "Connection timed out": Your network or firewall may block outbound ports 587 or 465. Test from a different network.
- "Message rejected": You may have exceeded sending limits. Check your account for security alerts.
- SPF failures on received messages: Your domain's SPF record may not include Google. Run a check with the SPF tool.
For a comprehensive check of your domain's email configuration, use the InboxTooling Full Report to validate MX, SPF, DKIM, and DMARC in one pass. Confirm MX records are correct with the MX Lookup.
Stay on top of your email infrastructure. Sign up for the InboxTooling newsletter for deliverability tips, tool updates, and best practices.