Gmail’s SMTP server (smtp.gmail.com) accepts two authentication methods: OAuth 2.0 and Less Secure App (LSA) access was Google's name for the third-party authentication path that used a plain account password against Gmail's SMTP, IMAP, and POP endpoints. Google shut it down for consumer accounts on 30 May 2022 and for Workspace accounts on 1 May 2025; OAuth, App Passwords, or a different sending provider replace it. Read full reference →. Gmail SMTP always requires authentication; the question is which method. OAuth is Google’s preferred path for new integrations, but many WordPress SMTP plugins either lack OAuth support entirely or only support it for Google Workspace accounts. App Passwords are the working fallback: a 16-character credential issued by Google that authenticates without the OAuth dance. For the comparison between the two methods, see Gmail OAuth vs App Passwords.
This guide is for WordPress sites configuring Gmail SMTP through a mailer plugin (FluentSMTP, WP Mail SMTP, Post SMTP, and similar). The credentials are SMTP-standard and work with any client; the rest assumes the WordPress context.
Prerequisites
2-Step Verification (2SV) must be enabled on the Google account. Without it, the App Passwords option does not appear in Google account settings and there is no way to generate a credential. Enable 2SV at 
myaccount.google.com/security before generating an app password. This applies to both personal Gmail and Google Workspace.
For Google Workspace accounts, the administrator may have disabled App Passwords at the organisation level. If the App Passwords option is missing despite 2SV being on, that is the likely cause; check with the Workspace admin.
Generate the App Password
Follow How to set up App Passwords in Gmail for the step-by-step. Two operational details:
- The 16-character password is shown once. Copy it before closing the dialog; there is no recovery.
- Google strips the spaces from display but the password itself is just the 16 characters. Most plugins accept it either way.
Gmail SMTP settings
These are the values to enter in the WordPress mailer plugin’s SMTP configuration:
| Setting | Value |
|---|---|
| SMTP host | smtp.gmail.com |
| Port | 587 (STARTTLS) or 465 (SSL) |
| Encryption | STARTTLS for port 587, SSL/TLS for port 465 |
| Authentication | Required |
| Username | The full Gmail address ([email protected] or [email protected] for Workspace) |
| Password | The 16-character App Password |
| From address | Must match the authenticating Gmail account (see below) |
Either port works. Port 587 with STARTTLS is the modern default; port 465 with implicit SSL is still supported. Both 587 and 465 work when the host blocks outbound port 25, which is the common case on shared hosting.
The From address constraint
Gmail SMTP requires the From: address on the outgoing message to match the authenticated account (or a verified “Send mail as” alias). If WordPress is configured to send as [email protected] but the authenticated SMTP user is [email protected], one of two things happens:
- Gmail rewrites the
From:header to[email protected](silent), so recipients see your Gmail address, not your domain. - The plugin fails authentication or the message is rejected, depending on the plugin’s handling.
Both outcomes are failures: one of sender identity, one of delivery. For Workspace accounts using a custom domain ([email protected]), this is not an issue: the SMTP user and the From domain match. For personal Gmail used as a relay for a WordPress site on a different domain, the rewrite means DMARC alignment is broken at the From: domain (yourdomain.com) compared to the authenticated infrastructure (gmail.com), and the message will fail DMARC at any inbox that enforces it.
If you need to send from your custom domain but route through Google, the supported paths are:
- A Google Workspace account on your domain (the right answer for most cases).
- A “Send mail as” alias configured in the Gmail account, with the alias verified.
- A dedicated transactional service like Amazon SES, Postmark, or Brevo (see the sending services directory).
Personal Gmail handles low-volume WordPress notifications sent from a Gmail address. It does not replace a transactional service on a custom domain.
Daily sending limits
Both Gmail tiers cap outbound mail per 24-hour rolling window:
- Personal Gmail: 500 messages per day, or 500 recipients in a single message (
Gmail help). - Google Workspace (authenticated SMTP via
smtp.gmail.comwith an App Password): 2,000 messages per day per user, up to 3,000 external recipients per day, and a hard cap of 500 external recipients per message (
Gmail sending limits in Google Workspace).
The Workspace SMTP relay service is a separate path with its own 10,000-recipient-per-day cap and IP-allowlist authentication; it is not what this guide configures. If you are using smtp.gmail.com with an App Password from a WordPress plugin, the authenticated-SMTP limits above are the ones that apply.
Hitting the limit returns a temporary error and sending is restricted for 1 to 24 hours. For most WordPress sites this is not a constraint, but a WooCommerce store sending order confirmations on a busy day, or a site whose contact form is being hammered by spam, will hit it. If you are designing for any volume, route through a transactional service instead.
Common errors
535-5.7.8 Username and Password not accepted: wrong password, or App Passwords disabled for the account. Regenerate the App Password and retry. If the error persists, check that 2SV is still enabled and that the Workspace admin has not blocked App Passwords.534-5.7.9 Application-specific password required: the SMTP authentication is using the account’s main password, not an App Password. Generate one and switch.- Authentication succeeds but messages do not arrive: usually a From/Reply-To mismatch or DMARC failure at the recipient. Check your SMTP plugin’s log for the Gmail response, then check the receiving domain’s published DMARC policy.
When to stop using this approach
App Passwords work today, but Google has been steadily phasing out password-based authentication since the Less Secure App Access removal in 2022. For any WordPress site where mail delivery matters (commerce, account recovery, anything not optional), a dedicated transactional service with its own SMTP credentials is the durable choice. App Passwords for Gmail SMTP remain a working option for sites with low send volume, single-account-owner accountability, and no requirement to send from a custom domain.