Microsoft removed Basic Authentication from most Exchange Online protocols on October 1, 2022, and finished the job by retiring Basic auth for SMTP client submission in March 2026. The server is still smtp.office365.com on port 587 with STARTTLS, but every connection now needs an OAuth 2.0 token in XOAUTH2 format, and SMTP AUTH itself is disabled by default on new tenants. Here’s the full reference.
What are the Outlook SMTP server settings?
Section titled “What are the Outlook SMTP server settings?”The Outlook SMTP server is smtp.office365.com on port 587 with STARTTLS; Microsoft deprecated port 25 for client submission and recommends 587 over 465 for Exchange Online. Authentication uses OAuth 2.0 (Modern Auth), and the username is the full email address.
| Setting | Value |
|---|---|
| SMTP server (Microsoft 365 / Exchange Online) | smtp.office365.com |
| SMTP server (Outlook.com personal accounts) | smtp-mail.outlook.com |
| Port | 587 |
| Encryption | STARTTLS (required) |
| Authentication | OAuth 2.0 (Modern Auth) |
| Username | Full email address |
| IMAP server | outlook.office365.com (port 993, TLS) |
| POP3 server | outlook.office365.com (port 995, TLS) |
Three details catch developers. First, personal Outlook.com accounts use a different SMTP hostname (smtp-mail.outlook.com) than Microsoft 365 work accounts, on the same port 587. Second, the IMAP and POP3 hostname (outlook.office365.com) differs from the SMTP hostname, so copying one into the other field fails. Third, according to Microsoft’s SMTP submission documentation, SMTP AUTH is disabled by default on new Microsoft 365 tenants and must be enabled per mailbox by a tenant admin.
How did the Basic Auth shutdown change SMTP access?
Section titled “How did the Basic Auth shutdown change SMTP access?”Microsoft disabled Basic Authentication for most Exchange Online protocols (POP, IMAP, EWS, ActiveSync, Remote PowerShell) on October 1, 2022. SMTP AUTH got a temporary exception, but Microsoft retired Basic auth for client submission in March 2026, so every SMTP connection must now present an OAuth 2.0 access token using the XOAUTH2 SASL mechanism. Each cutoff broke scripts, printers, and line-of-business apps overnight.
Modern Auth SMTP needs an Entra ID (Azure AD) app registration with the SMTP.Send delegated permission. The token request goes to https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token with scope=https://outlook.office.com/SMTP.Send (add offline_access for refresh tokens); app-only flows authorized by a tenant admin use scope=https://outlook.office365.com/.default instead. Access tokens expire after 3,600 seconds, so production code needs a refresh loop. The handshake then looks like this:
EHLO client.example.comSTARTTLSEHLO client.example.comAUTH XOAUTH2 <base64-encoded-token-string>
# Token string format before base64 encoding:# [email protected]^Aauth=Bearer <access_token>^A^A# where ^A is the ASCII SOH character (0x01)The XOAUTH2 string isn’t a standard Bearer header: the user= and auth=Bearer fields are separated by SOH (0x01) characters before the whole string is base64-encoded. Getting that encoding wrong is the top cause of 535 5.7.3 failures. Microsoft’s XOAUTH2 documentation includes a sample that builds the string correctly.
What are common Outlook SMTP errors and fixes?
Section titled “What are common Outlook SMTP errors and fixes?”Outlook SMTP returns RFC 5321 codes with Microsoft-specific extended status codes, and the 5.7.x family (authentication and authorization) dominates since the Basic Auth shutdown. The 6 most frequent:
| Error code | Meaning | Fix |
|---|---|---|
535 5.7.3 | Authentication unsuccessful | Switch to OAuth 2.0; Basic Auth is permanently off |
550 5.7.501 | SMTP AUTH disabled for the mailbox | Admin runs Set-CASMailbox -SmtpClientAuthenticationDisabled $false |
421 4.7.0 | Connection throttled | Back off 60 seconds and reduce send rate |
554 5.2.0 | Message too large | Stay under the tenant’s size limit (35 MB default) |
452 4.5.3 | Too many recipients | Respect the per-message recipient limit (up to 1,000) |
550 5.7.520 | Detected as spam | Check SPF, DKIM, and DMARC; slow bulk sending |
535 5.7.3 accounts for the majority of failures: it means the code is still sending a plain username and password, or the XOAUTH2 string is malformed. The fix is an app registration, a token request, and the SOH-separated encoding shown above, in that order.
What are the sending limits for Microsoft 365?
Section titled “What are the sending limits for Microsoft 365?”Microsoft 365 enforces per-mailbox limits on SMTP submissions: 10,000 recipients per day, 30 messages per minute, and a 35 MB default message size cap that admins can raise to 150 MB. Exceeding any of them triggers a 421 4.7.0 throttle or a 550 rejection. The numbers come from Microsoft’s Exchange Online limits documentation.
| Limit | Microsoft 365 | Outlook.com |
|---|---|---|
| Recipients per day | 10,000 | Varies by subscription |
| Recipients per message | Up to 1,000 (admin-configurable) | 100 |
| Messages per minute | 30 | 30 |
| Max message size | 35 MB default (configurable to 150 MB) | Varies by account |
The 30-messages-per-minute cap surprises teams building notification systems, because it’s per mailbox rather than per tenant. For volume beyond these limits Microsoft points to Azure Communication Services or a dedicated sending provider rather than SMTP AUTH.
How do you send Outlook email without SMTP?
Section titled “How do you send Outlook email without SMTP?”The Nylas Email API sends through a connected Outlook or Microsoft 365 account with one HTTPS request: POST /v3/grants/{grant_id}/messages/send. There’s no Entra ID app registration, no XOAUTH2 encoding, no per-mailbox SMTP AUTH enablement, and token refresh happens server-side every 3,600 seconds.
The send Outlook email recipe has the full walkthrough, including attachments and the comparison with Microsoft Graph’s sendMail endpoint. For the provider-neutral version that also covers Gmail, Yahoo, and IMAP accounts, see send email without SMTP; Microsoft’s own sending limits above still apply because mail leaves through the user’s mailbox.
What’s next
Section titled “What’s next”- How to send Outlook email sends through Microsoft 365 with one API call.
- Gmail SMTP settings is the Google equivalent of this reference.
- Send email without SMTP covers the cross-provider API path.
- How to list Microsoft email messages reads the mailbox the same connection sends from.