Outlook & Microsoft 365 SMTP Setup (2026 App Password Guide)
Personal or business account. App Password + Authenticated SMTP.
TL;DR
- check_circleOutlook SMTP server: smtp.office365.com — port 587 with STARTTLS, for both personal outlook.com and Microsoft 365.
- check_circlePersonal accounts (outlook.com / hotmail.com / live.com) need an App Password — generate one at account.live.com/proofs/AppPassword.
- check_circleMicrosoft 365 mailboxes need SMTP AUTH ("Authenticated SMTP") enabled — often blocked by default for security.
- check_circlePersonal limit: 300 recipients/day. Microsoft 365: 10,000 recipients/day with bursts capped at 30/minute.
- check_circleMost-asked error: 5.7.139 "SmtpClientAuthentication is disabled for the Tenant" — see the fix below.
Connection settings
smtp.office365.com587STARTTLSFull email address (you@outlook.com or you@company.com)App Password (personal) OR your mailbox password if SMTP AUTH is enabled (365)What you'll need
An Outlook.com or Microsoft 365 mailbox
Any @outlook.com, @hotmail.com, @live.com, or custom domain hosted on Microsoft 365 works the same way at the SMTP layer.
Two-Step Verification on (personal)
App Passwords on outlook.com require Two-Step Verification to be enabled. Microsoft enforces this since 2022.
Manage your sign-in securityopen_in_newTenant admin access (Microsoft 365)
If you're on Microsoft 365, SMTP AUTH may have to be re-enabled by a global admin or Exchange admin. Plan for a 5-minute conversation if that's not you.
Step-by-step setup
- 1
Choose your account type
Personal (@outlook.com, @hotmail.com, @live.com) and Microsoft 365 (custom domain on Microsoft) use the same SMTP host but different authentication flows. Pick the right path before you start to avoid 30 minutes of confusion.
- 2
Personal accounts — turn on Two-Step Verification
Open account.live.com/proofs/manage. Sign in, click "Turn on Two-step verification," follow the wizard. Without 2SV you can't generate App Passwords — Microsoft retired "basic auth" for personal SMTP in 2023.
Manage sign-in proofsopen_in_new - 3
Personal accounts — generate an App Password
Go to account.live.com/proofs/AppPassword. Click "Create a new app password." Microsoft generates a 16-character lowercase password — copy it. Anywhere SMTP asks for a password, use this string instead of your real Outlook password.
Create an App Passwordopen_in_newwarningWatch out: App Passwords can't be retrieved later. If you lose it, generate another and revoke the old one.
- 4
Microsoft 365 — confirm SMTP AUTH is enabled
Microsoft disables SMTP AUTH ("Authenticated SMTP") by default for new tenants. To check: an admin opens admin.microsoft.com → Users → Active users → click your user → Mail tab → Email apps. "Authenticated SMTP" must be ON.
Open Microsoft 365 adminopen_in_newlightbulbTip: Prefer PowerShell? Run: Set-CASMailbox -Identity user@company.com -SmtpClientAuthenticationDisabled $false
- 5
Microsoft 365 — confirm the tenant-wide setting
Even with per-user SMTP AUTH on, the tenant-wide switch can override it. Admin opens admin.exchange.microsoft.com → Settings → Mail flow → "Turn off SMTP AUTH protocol for your organization" must be UNCHECKED.
Exchange admin settingsopen_in_new - 6
Use these SMTP server settings
Host: smtp.office365.com · Port: 587 · Encryption: STARTTLS · Username: your full email address (you@outlook.com or you@company.com) · Password: App Password for personal, normal mailbox password for 365.
- 7
Add a verified sender (optional but recommended)
If you'll send From: an alias (e.g. noreply@company.com), make sure it's added in Microsoft 365 Admin → Recipients → Mailboxes → user → Email addresses. Otherwise messages get rewritten back to the primary mailbox.
Connect to CodeOpx Mail
Plug them into CodeOpx Mail:
- 1Open SMTP configs
Dashboard → SMTP → "Add config" → choose "Outlook / Microsoft 365." Host and port pre-fill to smtp.office365.com:587 with STARTTLS.
- 2Fill in the form
Username: full email address. Password: App Password (personal) or mailbox password (365 with SMTP AUTH enabled).
- 3Hit "Test connection"
We attempt an authenticated SMTP handshake. If you get the dreaded 5.7.139 error, jump to the troubleshooting table — it's almost always a tenant setting.
- 4Send
Pick your Outlook config from the From dropdown when composing. Replies will land in your Outlook inbox; CodeOpx tracks delivery, opens, clicks, and bounces.
Common errors & fixes
535 5.7.139Authentication unsuccessful — SmtpClientAuthentication disabled
Microsoft 365's most common SMTP error. The tenant or your mailbox has SMTP AUTH disabled — Microsoft did this by default starting 2020.
Fix: Admin: enable "Authenticated SMTP" for the user in Microsoft 365 admin (Users → Mail → Email apps) AND uncheck the tenant-wide block in Exchange admin → Settings → Mail flow.
535 5.7.3Authentication unsuccessful
Bad username/password, or Modern Authentication is required and you're trying basic auth.
Fix: Re-confirm your password (generate a new App Password if personal). For 365, make sure SMTP AUTH is enabled per the row above.
550 5.7.708Service unavailable — access denied
Your sending IP has tripped Microsoft's reputation throttle.
Fix: Wait 15 minutes, send slower, and verify your domain has SPF + DKIM aligned. Use Microsoft's SNDS / JMRP / Smart Network Data Services to investigate further.
554 5.2.0STOREDRV.Submission.Exception
Usually thrown when sending from an unauthorized alias.
Fix: Add the From address as a verified alias under Microsoft 365 → Recipients → Mailboxes → Email addresses.
Throttle: 432The recipient's mailbox is being moved or 4.3.2
Outlook.com applies sliding-window rate limits aggressively to new senders.
Fix: Reduce burst rate to ~25 messages/minute, and warm the account by sending small batches the first week.
Sending limits
Outlook applies sending limits per user, per 24-hour window, and per minute. Microsoft 365 has much higher limits than personal accounts, but both throttle bursts aggressively.
| Outlook.com / Hotmail / Live | 300 messages / day |
| Microsoft 365 (paid) | 10,000 recipients / day |
| Per-minute rate (365) | 30 messages / minute |
| Per-message recipients | 500 (combined To + CC + BCC) on 365, 100 on personal |
| Max message size | 150 MB on 365, 20 MB on personal |
- lightbulbMicrosoft 365 doesn't recommend SMTP AUTH for high volume — it's intended for legacy device support. For >5,000/day consider Microsoft's High Volume Email (HVE) preview, or just use a transactional ESP.
- lightbulbIf you start seeing 'mailbox unavailable' errors after a burst, that's the per-minute throttle — slow your sending and they clear on their own.
- lightbulbOn personal outlook.com, sending to new recipients suddenly is a fast path to spam-folder placement. Build the recipient list gradually.
FAQ
Why does Microsoft keep saying SMTP AUTH is deprecated?
add
Microsoft considers SMTP AUTH a legacy protocol because it can't enforce MFA on the connection itself. They recommend OAuth 2.0 or Microsoft Graph for new applications. SMTP AUTH still works fine — they've just stopped enabling it by default for new tenants and might fully sunset it in the future. Plan accordingly if you're building something long-lived.
What's the difference between smtp.office365.com and smtp-mail.outlook.com?
add
Both still resolve, but smtp.office365.com is the modern endpoint for both personal Outlook.com and Microsoft 365 accounts. Microsoft has unified these — use smtp.office365.com everywhere.
Can I send from a shared mailbox?
add
Yes, but you authenticate with your own credentials. Grant your user "Send As" permission on the shared mailbox in Exchange admin, then set the From header to the shared address while authenticating as yourself.
Will sending through SMTP affect my Microsoft Secure Score?
add
Re-enabling SMTP AUTH lowers your tenant's Secure Score because Microsoft views it as a legacy protocol. Re-enable it only for the user accounts that need it, not tenant-wide, and monitor sign-in logs for suspicious activity.
Does Office 365 SMTP support DKIM signing automatically?
add
Yes — Microsoft 365 signs all outbound mail with DKIM using their selectors, but if you want stronger deliverability, set up a custom DKIM key under Microsoft Defender → Email & collaboration → Policies → DKIM. Pair with an SPF record (v=spf1 include:spf.protection.outlook.com -all) and a DMARC policy.
Why do my emails land in Outlook's Junk folder even when SMTP works?
add
Authentication and deliverability are different problems. Successful SMTP delivery just means Microsoft accepted the message — placement depends on sender reputation, SPF/DKIM alignment, content, and recipient interaction. Set up DMARC, warm up the address, and avoid spammy phrases.
Video tutorial
Watch: Outlook / Microsoft 365 SMTP tutorials on YouTube
We curated a YouTube search of recent walkthroughs by independent creators. The official docs (linked below) remain the source of truth.
play_arrowWatch on YouTubeFurther reading
Related provider guides
Ready to send through outlook?
Sign up for CodeOpx Mail, add this SMTP config, and you'll be sending tracked emails in under 5 minutes.