Enhanced Status Code 5.7.8: Authentication Credentials Invalid

Permanent failure High severity Security RFC 4954

What it means

Enhanced Status Code 5.7.8 means “Authentication Credentials Invalid.” The SMTP authentication credentials (username and/or password) you provided are incorrect or have expired. The server rejected your login attempt. Update your credentials immediately.

At a glance

Code5.7.8

Bounce typeHard (permanent)

SeverityHigh

CategorySecurity

What to doSuppress the address; do not retry

StandardRFC 4954

What it looks like in your mail logs

535 5.7.8 Username and Password not accepted. For more information, go to https://support.google.com/mail/?p=BadCredentials

What does 5.7.8 mean?

Enhanced status code 5.7.8 means the username and/or password provided during SMTP AUTH were rejected by the server. This is a straightforward credential issue - the login attempt failed. This commonly occurs when sending through a relay server or SMTP submission service.

Common causes include expired passwords, password rotation by IT administrators, disabled accounts, or using OAuth tokens that have expired. Many organizations now require app-specific passwords or OAuth2 for SMTP authentication rather than regular account passwords.

How 5.7.8 plays out

Your server attempts delivery

The recipient server returns a permanent 5.7.8 rejection

This is a hard bounce: the message will not be accepted as sent

Suppress the address and fix the root cause before resending

Where 5.7.8 sits: soft vs hard bounce

	Soft bounce (4xx)	Hard bounce (5xx)
Nature	Temporary	Permanent
SMTP class	`4xx`	`5xx`
What to do	Let it retry	Suppress the address
Recoverable?	Often	No
5.7.8 is		✓ this code

Common causes of 5.7.8

Password has been changed or expired
Username is incorrect or account does not exist
Account has been disabled or suspended
Using regular password instead of required app-specific password
OAuth2 token has expired and needs to be refreshed

How to fix 5.7.8

Verify your SMTP username and password are correct
Check if the password was changed or expired
Generate a new app-specific password if required (Gmail, Microsoft)
Refresh your OAuth2 token if using OAuth authentication
Contact your email service provider for credential issues

Frequently asked questions

What does SMTP error 535 5.7.8 "Username and Password not accepted" mean?

Error 535 5.7.8 means the SMTP server rejected the login credentials you provided for authentication. Your username, password, or both are incorrect, or the authentication method being used is not permitted for your account. This is the most common SMTP authentication error, frequently seen with Gmail, Microsoft 365, and other major providers when configuring email clients, applications, or scripts to send mail through their SMTP servers.

Why does Gmail return 5.7.8 when my password is correct?

Gmail returns 5.7.8 even with the correct password if your account has two-factor authentication (2FA) enabled and you are using your regular password instead of an App Password. Google no longer supports "Less Secure Apps" access, so regular passwords cannot be used for SMTP authentication. You must generate a 16-character App Password in your Google Account security settings (under "App Passwords") and use that instead of your normal password.

How do I fix 535 5.7.8 authentication failed in Microsoft 365?

Microsoft has disabled Basic Authentication (SMTP AUTH) by default for all tenants. You need to either re-enable SMTP AUTH for specific mailboxes that require it (via Exchange Admin Center or PowerShell) or switch to OAuth 2.0 authentication. For applications, use the Microsoft Identity Platform to obtain OAuth tokens. If SMTP AUTH is enabled but still failing, verify the username is the full email address, the password is current, and you are connecting to smtp.office365.com on port 587 with STARTTLS.

What is an App Password and how do I create one for SMTP?

An App Password is a one-time generated 16-character code that replaces your regular password for applications that do not support modern authentication (OAuth 2.0) or two-factor authentication prompts. In Gmail, go to your Google Account > Security > 2-Step Verification > App Passwords, select "Mail" and your device, then click Generate. Copy the 16-character code (without spaces) and enter it as your password in your email client or application's SMTP settings.

Related bounce codes

Sources & further reading

RFC 4954 · The standard that defines this reply code IETF Datatracker · RFC 4954 defines the SMTP AUTH extension and the 535 authentication credentials invalid response Microsoft Learn · Enable or disable SMTP AUTH in Exchange Online when basic authentication credentials are rejected

Reviewed by Jennifer Jackson, Email Deliverability Analyst · June 2026 ← All bounce codes