# 535 5.7.8 Authentication credentials invalid

- **ID:** `communication/smtp-535-authentication-failed`
- **Domain:** communication
- **Category:** auth_error
- **Error Code:** `535`
- **Verification:** ai_generated
- **Fix Rate:** 88%

## Root Cause

SMTP server rejects the client's authentication attempt due to incorrect username, password, or unsupported authentication mechanism (e.g., LOGIN vs PLAIN).

## Version Compatibility

| Version | Status | Introduced | Deprecated |
|---------|--------|------------|------------|
| Postfix 3.8 | active | — | — |
| Exim 4.97 | active | — | — |
| Sendmail 8.18 | active | — | — |
| Microsoft Exchange 2019 | active | — | — |

## Workarounds

1. **Verify the username and password are correct by testing with a direct SMTP session using `openssl s_client` to connect and manually issue AUTH LOGIN or AUTH PLAIN.** (90% success)
   ```
   Verify the username and password are correct by testing with a direct SMTP session using `openssl s_client` to connect and manually issue AUTH LOGIN or AUTH PLAIN.
   ```
2. **Change the authentication mechanism in the client configuration. For PHPMailer, set `$mail->SMTPAuthType = 'PLAIN';` or for Python smtplib, use `smtp.login()` which defaults to PLAIN.** (85% success)
   ```
   Change the authentication mechanism in the client configuration. For PHPMailer, set `$mail->SMTPAuthType = 'PLAIN';` or for Python smtplib, use `smtp.login()` which defaults to PLAIN.
   ```
3. **Enable 'Less secure app access' or generate an app-specific password if the SMTP server enforces OAuth2 (common with Gmail, Outlook). For Gmail, use an App Password.** (80% success)
   ```
   Enable 'Less secure app access' or generate an app-specific password if the SMTP server enforces OAuth2 (common with Gmail, Outlook). For Gmail, use an App Password.
   ```

## Dead Ends

- **Re-enter the same password in the application config** — If the password is already correct but the mechanism is wrong, re-entering the same value won't help. The error is often about mechanism mismatch. (70% fail)
- **Disable TLS/SSL on the SMTP connection** — Many SMTP servers require TLS for authentication. Disabling TLS prevents any AUTH command from working. (85% fail)
- **Use port 25 instead of 587 for submission** — Port 25 typically does not require authentication. Switching to port 25 bypasses the need for credentials but may be blocked by ISPs or violate RFC. (60% fail)