Error 535 5.7.139 is an email response received when you are trying to send an email via SMTP, but your connection was not accepted and the message bounced. Some examples of this error message may look like:
- 535 5.7.139 Authentication unsuccessful, the request did not meet the criteria to be authenticated successfully.
- 535 5.7.139 Authentication unsuccessful, SmtpClientAuthentication is disabled for the Tenant.
Why did I receive an 535 5.7.129 error?
The most common reason that you are receiving this error is that the application or device trying to send the email is using SMTP basic authentication. As of 1st October 2022, Microsoft automatically disabled SMTP based authentication in Exchange Online. This means that any existing uses of SMTP will stop working. Luckily for some, you can re-enable SMTP based authentication, but until the end of December, however it is deemed very insecure and you should look to remove it in your environment asap.
How to fix error 535 5.7.129
Remove the need for SMTP email submission
The first option should be that you look to remove the need for SMTP email submission in your environment. For devices such as printers/scanners, you should look to using a method of email relay called Direct Send. Those using old email clients should look at upgrading and software vendors that have not updated their applications should act on this ASAP.
To use Direct Send you should configure the SMTP server address for your sending device/app to your Microsoft 365 MX record. For example, mine is: ourcloudnetwork-com.mail.protection.outlook.com
You also need to configure mail to send on port 25 with TLS and ensure the sending mail address is a domain in your tenant. If your app/device requires you to enter a username or password, you can leave this blank.
The SPF record for your domain also needs to include the public IP from where you app/device is located, for example: (replace 1.1.1.1 with your public IP address)
v=spf1 ip4:1.1.1.1 include:spf.protection.outlook.com ~all
If you need to send email to recipients who are not within your organisation, you will need to create an inbound connect in Exchange Online. Follow the below steps to create an inbound connector:
- Log in to the Exchange Online Admin Center.
- Expand Mail flow and select Connectors.
- Click Add a connector.
- Under Connection from, select Your organizations’s email server and click Next.
- Define a name for your connector and click Next.
- On the Authenticating sent email page, select By verifying that the IP address of the sending server matches one of the following ip addresses, which belong exclusively to your organization, enter your IP and click Next.
- On the final page, click Create connector.
Re-enable SMTP email submission while you work on removing the need for it
If you cannot remove the need for SMTP email submission immediately, you can look at enabling it for your tenant. If this stopped working on October 1st, this would be due to the change Microsoft implemented to get rid of this old protocol. Start by looking at my blog post where I detail how to re-enable SMTP authentication in your tenant: Unable to use basic authentication in Exchange Online? Here’s why
If you have followed the above guide and it is still not working, follow the below steps:
2. Disable security defaults in Azure AD. Follow my guide on How to Enable Security Defaults in Azure Active Directory and ensure the slider is set to No.
3. Next login to or navigate to the Microsoft 365 Admin Center https://admin.microsoft.com/
3. Select Settings > Org Settings
4. Under Services, select Modern Authentication
5. Ensure Authentication SMTP is checked
6. Ensure SMTP is enabled on the individuals mailbox. Select Users > Active users
7. Select the user from the list, select the Mail tab and click Manage email apps
8. Ensure the Authenticated SMTP check box is checked
Hopefully now you have resolve error 535 5.7.139! If you have any questions or are still receiving this error, please comment below.
I have checked all the above. I am still unable to send invoices from a third-party app our company used for billing clients. Bills are sent using an alias (our accounting email) the account for the software used is my company email. It has worked in the past and just stopped working. Any ideas?
Hi!
Can you provide some information on how the third-party app is configured to send emails currently? or advise on the name of the app?
Did not work for our company
Hey! I am happy to advise if you can provide some more info on the issue.
Hello, as we’re in 2023, if I understand well, it’s no more possible to enable basic auth ?
My problem is that I try to send mail via SQL Server. the account used to send is an O365 account. In MS 265 admin console, the option “Authenticated SMTP” is chacked for the account used.
But under “modern app”, I can change nothing.
So I still have the 535 5.7.139 issue 🙁
Any idea ?
Hi Dan
I have same problem i.e. failure in sending emails.
This has started since I activated MFA on my Office365 account.
I have Exchnage Online (Plan 1) subscription.
I tried both passwords i.e. email accopunt password and app password but no luck.
The SMTP server settings are as below:
Server Name: smtp.office365.com
Port: 587
Encryption: TLS
Authentication: Normal Password (LOGIN)
User name:
Password:
Below is the link of the web page where you can see the details of the application I am using and SMTP settings configuration when using this application.
Please assist.
Thanks
Hi Faraz, when using an application to send mail, you should use the Direct Send method instead of trying to authenticate with an account.
Can I have an example of using this so-called Direct Send method? I just can’t figure out how to send emails from app that was working flawlessly prior to the changes.
You should direct your mail to your MX record (configure it as the SMTP server) on port 25 and not use authentication. Ensure you update your SPF record and create an inbound connector in M365 if you need to send externally.
I have the exact same issue as Faraz, my UPS needs to send email and since switching on MFA is it no longer working.
Server: smtp.office365.com, Port: 587, SSL/TLS: Always
I get this error: 535 5.7.139 Authentication unsuccessful, the request did not meet the criteria to be authenticated successfully. Contact your administrator.
If I remove the authentication as you suggest, the error changes to: 530 5.7.57 Client not authenticated to send mail.
It is not recommended to Disable security defaults in Azure AD as you suggested.
This worked 100% until I switched on MFA this week.
Hi Eugene,
If you have a UPS which is used to send emails internally. You should set the SMTP server as your MX record and add your public IP to your SPF record, then ensure the sending mail address an an approved domain.
Otherwise, the account you are using SMTP auth with, need to have SMTP auth enabled. In the M365 admin center, select your user, click on the mail tab, click Manage email apps then enable Authenticated SMTP. The account should not have MFA enabled, not be targeted for restrictions in Conditional Access and Security defaults are off. This is why direct send is the preferred method.
Hi Daniel,
Thank you for your content, and I follow all your instructions. That worked for me.
Rally appreciate that.
Glad it helped! 🙂