SMTP Server for Office 365: Complete Setup Guide (2026)
Your Canon printer's scan-to-email stopped working last Tuesday. Nobody changed anything. The ticket says "authentication failed," and now you're hunting for the right SMTP server for Office 365 settings - buried across four different Microsoft Learn pages, two blog posts, and a deprecated TechNet article. This guide puts everything in one place.
Quick-Reference Settings
Here are your copy-paste Office 365 SMTP settings:
Server: smtp.office365.com
Port: 587
Encryption: STARTTLS (TLS 1.2 or higher)
Auth: Yes (username + password, or OAuth2/XOAUTH2)
Username: your-full-email@yourdomain.com
Password: mailbox password (or OAuth2 access token)
Decision rule: Use SMTP AUTH on port 587 for most use cases. Use SMTP Relay if you send high volume from a static IP. Use Direct Send only for internal-only delivery.
Deprecation alert: Basic auth works through December 2026 with no changes, but plan your OAuth migration now.
Full Settings Reference
| Setting | Value |
|---|---|
| SMTP Server | smtp.office365.com |
| Port | 587 |
| Encryption | STARTTLS |
| TLS Version | 1.2 or 1.3 |
| Authentication | Required |
| Username | Full email address |
| Password | Mailbox password |
The server address is always smtp.office365.com - not outlook.office365.com, not mail.protection.outlook.com. Those are different services entirely. The username is always your full Microsoft 365 email address, not a short alias or display name.
If you're configuring a shared mailbox, you'll still use the shared mailbox's full email address as the SMTP identity/from address. For OAuth, the userName field in XOAUTH2 must be the shared mailbox address, while the token is obtained on behalf of a licensed user with Send As or Send on Behalf permissions.
Bookmark this table. Every app, printer, and scanner config screen asks for these same six fields.
Which Sending Method Should You Use?
Microsoft supports three distinct methods for sending email through Office 365. They look similar but behave very differently.
| Feature | SMTP AUTH | SMTP Relay | Direct Send |
|---|---|---|---|
| Port | 587 (or 25) | 25 | 25 |
| TLS Required | Yes | Optional | Optional |
| Authentication | User/pass or OAuth2 | Static IP (or TLS cert) | None |
| Send External | Yes | Yes | No |
| Saves to Sent | Yes | No | No |
| 3rd-Party Host | Yes | No | Yes (with SPF) |
| Daily Limit | 10K recipients/day | "Reasonable" | Standard throttle |
If your device or application authenticates with credentials and needs to send externally, SMTP AUTH is the answer. It's the most flexible option and the only one that saves messages to the Sent Items folder.
For high-volume sending from a server with a static public IP - think transactional emails from an ERP system - SMTP Relay avoids mailbox-based client submission throttling. You'll configure an inbound connector in Exchange Online instead of using credentials.
Direct Send sounds appealing but is a trap for most use cases. It only delivers to internal Microsoft 365 recipients. No external delivery. No Sent Items. No authentication. The moment someone asks "why didn't the client get that email?" you'll regret choosing it.
For the vast majority of printer, scanner, and application configurations, client submission on port 587 is what you want.
How to Enable SMTP AUTH
Microsoft disables SMTP AUTH by default for tenants created after January 2020. This single setting is responsible for more wasted sysadmin hours than any other Exchange Online config, because the error message doesn't say "SMTP AUTH is disabled." It says "authentication unsuccessful," which sends you down a password-reset rabbit hole that leads nowhere.
Security Defaults Warning
Here's the thing: if Entra ID Security Defaults are enabled for your tenant, SMTP AUTH is dead regardless of every other setting on this page. Security Defaults blocks legacy authentication protocols entirely. You'll need to either disable Security Defaults (not recommended) or migrate to OAuth. There's no workaround that preserves both.
Admin Center (Org-Wide)
Navigate to the Exchange admin center: Settings > Mail flow. Look for the toggle labeled "Turn off SMTP AUTH protocol for your organization." If it's on, SMTP AUTH is disabled org-wide. Toggle it off to enable.
Per-Mailbox (Recommended)
We've found the per-mailbox approach causes fewer support tickets than enabling SMTP AUTH org-wide. Microsoft agrees - their own recommendation is to keep it disabled org-wide and enable it only for specific mailboxes.
In the Microsoft 365 admin center:
- Go to Users > Active users
- Select the user or service account
- Click Mail > Manage email apps
- Check Authenticated SMTP
PowerShell Commands
For org-wide control:
# Enable SMTP AUTH org-wide
Set-TransportConfig -SmtpClientAuthenticationDisabled $false
# Verify current setting
Get-TransportConfig | Format-List SmtpClientAuthenticationDisabled
For per-mailbox overrides:
# Enable for a specific mailbox
Set-CASMailbox -Identity user@domain.com -SmtpClientAuthenticationDisabled $false
# Verify
Get-CASMailbox -Identity user@domain.com | Format-List SmtpClientAuthenticationDisabled
Setting the value to $null makes the mailbox inherit the org-wide setting.
Hitting Office 365's 10,000 recipient daily limit? Every bounce to an invalid address wastes quota and damages your domain reputation. Prospeo's 5-step email verification catches bad addresses before they hit your SMTP pipeline - 98% accuracy, spam-trap removal, and catch-all domain handling included.
Stop wasting SMTP sends on dead addresses. Verify your list first.
Rate Limits and Throttling
Outdated information about Office 365 sending limits is everywhere. Here's what actually applies in 2026.
| Limit | Value | Behavior |
|---|---|---|
| Recipients per day | 10,000 | Rolling 24-hour window |
| Messages per minute | 30 | Excess throttled, carried into subsequent minutes |
| Recipients per message | Up to 1,000 | Tenant-configurable ceiling |
The 30 messages/minute limit is a throttle, not a wall - excess messages get carried into subsequent minutes rather than bouncing. The 10,000 recipient/day limit is harder. Exceed it and you'll get NDRs until the rolling window resets.
Organization-managed distribution lists in the GAL count as a single recipient; personal contact-folder distribution lists count each member individually.
You'll still see references to a 2,000 external recipient/day limit. Microsoft announced this in 2024 but cancelled the implementation in January 2026. It never went into effect. Any guide still citing that limit is outdated.
An Exchange Online Kiosk license runs around $2-$4/user/month. It's a cheap way to isolate your application sending from user mailboxes.
If you're hitting recipient limits on outbound campaigns, check whether bounces to invalid addresses are eating into your daily quota. Running your list through an email verification tool like Prospeo before sending reduces wasted recipients and keeps your domain reputation clean.
If you're scaling outbound, it also helps to track your email velocity so throttles don't surprise you.
Basic Auth Deprecation Timeline
Many guides cite outdated dates for SMTP AUTH Basic auth deprecation. Here's the current timeline from Microsoft's Exchange Team blog:
- Now through December 2026 - No change. SMTP AUTH Basic auth works exactly as it does today.
- End of December 2026 - Basic auth disabled by default for existing tenants. Admins can re-enable it if needed.
- New tenants after December 2026 - Basic auth unavailable by default. OAuth is the supported method.
- Second half of 2027 - Microsoft announces the final, permanent removal date.
The key detail most people miss: step 2 isn't a hard cutoff. Admins can still flip the switch back on after December 2026. It's a default change, not a removal. The actual hard removal comes later, and Microsoft hasn't committed to a specific date yet.
Stop disabling MFA on your SMTP service accounts as a workaround. It's a security liability that buys you maybe 18 months. A basic OAuth implementation takes a day. Waiting until December 2026 and scrambling takes a week - plus downtime.
OAuth for SMTP: Future-Proof Setup
OAuth replaces username/password authentication with token-based auth. Register your application in Microsoft Entra and request this scope:
https://outlook.office.com/SMTP.Send
The SMTP session uses SASL XOAUTH2 to pass the token. The token format is a base64-encoded string:
base64("user=" + userName + "\x01auth=Bearer " + accessToken + "\x01\x01")
Where \x01 is the Control+A character, hex %x01.
The SMTP protocol exchange looks like this:
C: AUTH XOAUTH2 <base64 string>
S: 235 2.7.0 Authentication successful
A failed attempt returns 535 5.7.3 Authentication unsuccessful - the same error you'd get from bad credentials, so check your token generation first.
For shared mailboxes, the OAuth token is obtained on behalf of a licensed user, but the userName field in the XOAUTH2 string must be the shared mailbox address. The user needs Send As or Send on Behalf permissions on that shared mailbox.
If you're planning a broader deliverability cleanup alongside OAuth, use an email deliverability guide to avoid fixing auth while ignoring reputation.
Printers, Scanners, and Legacy Devices
Your Canon imageRUNNER from 2018 doesn't support OAuth. That's not your fault. Here are three migration paths, ranked by effort.
Firmware update (easiest). Several major manufacturers now support OAuth via firmware: Ricoh, Canon, Kyocera, HP, Toshiba, and Lexmark all have models with OAuth-capable firmware. Check your specific model - this is the cleanest long-term fix.
On-prem SMTP relay (middle ground). Deploy hMailServer or IIS SMTP as a bridge. Your devices authenticate locally with Basic auth; the relay forwards to Microsoft 365 using a connector or OAuth. Your devices don't need to change at all, and you can manage the auth transition in one place instead of reconfiguring every MFP on every floor.
Third-party relay service (zero infrastructure). Services like SMTP2Go, SendGrid, or Mailgun offer free tiers for low volume and paid plans typically starting around $15-$35/month. Your devices point at the relay service instead of smtp.office365.com - completely decoupled from Microsoft's auth changes.
Skip the third-party relay route if you're in a regulated industry that requires all email to flow through your Microsoft 365 tenant for compliance and eDiscovery. In that case, the on-prem relay is your best bet.
Microsoft also offers Azure Communication Services Email for both internal and external delivery - worth evaluating if you're already in the Azure ecosystem.
Troubleshooting Common Errors
Before you blame Microsoft, check your own network.
| Code | Meaning | Fix |
|---|---|---|
| 550 5.7.30 | Basic auth blocked | Enable SMTP AUTH or use OAuth |
| 535 5.7.3 | Auth failed | Check credentials or OAuth token |
| 5.7.57 | Client not authenticated | SMTP AUTH not enabled for mailbox |
| 421 4.7.0 | Throttling/temp rejection | Wait and retry; check limits |
A recurring theme on r/sysadmin: relay servers send fine, but MFPs on the same network fail intermittently. We've traced this to network-level issues almost every time:
- IDS/IPS rules - Security appliances selectively block SMTP traffic from devices with different retry behaviors than servers
- ISP port 25 blocking - Many ISPs block outbound port 25; use port 587 with STARTTLS instead
- TLS 1.2 support - Older devices only support TLS 1.0/1.1, which Microsoft no longer accepts
The SMTP AUTH clients report in the Exchange admin center shows which accounts are actively using SMTP AUTH and their TLS versions. It's the fastest way to identify devices that'll break when Basic auth goes away.
If you're seeing deliverability issues after you get auth working, check your email bounce rate and whether you need spam trap removal.
You just spent an hour configuring SMTP AUTH so your outbound campaigns actually deliver. Don't waste that effort sending to unverified addresses that spike your bounce rate. Prospeo verifies 143M+ emails at 98% accuracy - for about $0.01 each - so every message you push through smtp.office365.com reaches a real inbox.
Clean data in, clean delivery out. Start with 75 free email verifications.
FAQ
What port does Office 365 SMTP use?
Port 587 with STARTTLS encryption is the standard for SMTP AUTH client submission and works with virtually every device and application. Port 25 is used for SMTP Relay and Direct Send but is frequently blocked by ISPs - avoid it unless you have a specific relay configuration.
Can I still use a password for SMTP AUTH in 2026?
Yes. Basic auth works through December 2026 with no changes. After that, Microsoft disables it by default but admins can temporarily re-enable it. New tenants created after December 2026 won't have the option. Start your OAuth migration now to avoid scrambling.
What if my device doesn't support OAuth?
Deploy an on-prem SMTP relay like hMailServer or IIS SMTP as a bridge between your legacy device and Microsoft 365, or switch to a third-party relay like SMTP2Go or SendGrid. Azure Communication Services Email is another option for teams already in the Azure ecosystem.
How do I configure these settings in WordPress?
Install the WP Mail SMTP or Post SMTP plugin. Use smtp.office365.com, port 587, STARTTLS, and your full Microsoft 365 email as the username. The plugin routes WordPress mail through authenticated SMTP (or OAuth), which improves deliverability versus default PHP mail.