Fix “StartTLS Is Required to Send Email” Error (SMTP Configuration)

The “StartTLS is required to send email” error occurs when your email client or application tries to connect to an SMTP server without using encryption. Modern email servers demand a secure connection. If you attempt to send mail through an unencrypted channel, the server refuses the connection.

StartTLS is a command that upgrades your regular connection to an encrypted one. It’s a security requirement, not optional. Your server wants to protect your login credentials and email content from being intercepted.

This error typically appears in email applications like Outlook, Thunderbird, or custom web applications. It means your SMTP settings are incomplete or wrong.

How SMTP and StartTLS Actually Work

Before fixing the error, understand what’s happening behind the scenes.

SMTP stands for Simple Mail Transfer Protocol. It’s the system your email uses to send messages. When you hit “send,” your application connects to an SMTP server and authenticates with a username and password.

Without encryption, someone on your network could capture that password. StartTLS prevents this by creating an encrypted tunnel before any credentials are transmitted.

Here’s the flow:

1. Your client connects to the SMTP server (usually port 587)
2. The server announces it supports StartTLS
3. Your client issues the STARTTLS command
4. Connection encrypts using TLS (Transport Layer Security)
5. Login credentials are sent safely
6. Email is transmitted

If you skip step 4, the server rejects the connection. This is where the error appears.

Common SMTP Port Configurations

Different ports have different security requirements. This is where most people make mistakes.

Port	Protocol	Requires StartTLS	Common Use
25	SMTP	Sometimes	Server-to-server mail, often blocked for clients
465	SMTPS	No (implicit SSL)	Direct SSL encryption from start
587	Submission	Yes (required)	Standard for client submissions, uses StartTLS
2525	Alternative	Usually	Used when port 587 is blocked

Port 587 is the modern standard. It requires StartTLS. Port 465 uses SSL/TLS from the beginning, which is different but equally secure.

If your email provider specifies port 587, you must enable StartTLS. If they specify port 465, you disable StartTLS and enable SSL instead.

Step-by-Step Fix for Common Email Clients

Fixing SMTP Settings in Outlook (Windows and Mac)

Open Outlook and go to File > Account Settings > Account Settings.

Find your email account in the list and click it. Then click “Change.”

Scroll down to find the outgoing mail server settings (SMTP).

Look for these settings:

• Outgoing mail server (SMTP): Check this matches your provider (usually mail.yourdomain.com or smtp.gmail.com)
• Port: Should be 587
• Encryption method: Select “STARTTLS” or “TLS”
• Requires authentication: Check this box
• Username: Your full email address

Click “Next” and test the connection. Outlook will verify your settings.

If it still fails, try turning on “Require encrypted connection” if that option appears separately.

Fixing SMTP Settings in Thunderbird

Open Thunderbird and go to Edit > Account Settings (or Thunderbird > Preferences on Mac).

Select your email account from the left sidebar.

Click “Outgoing Server (SMTP)” at the bottom.

In the list, find and select your current server. Click “Edit.”

Verify these fields:

• Server name: Correct SMTP hostname
• Port: 587
• Connection security: Select “STARTTLS”
• Authentication method: “Normal password” or “OAuth2” depending on your provider

Click OK and test sending an email.

Fixing SMTP in Gmail

Gmail has specific requirements. If you use Gmail and see this error, follow these steps.

First, you need an app password. Gmail doesn’t allow your regular password for third-party apps anymore.

Go to myaccount.google.com and sign in.

Click “Security” in the left menu.

Scroll down to “App passwords.” (This only appears if you have 2-step verification enabled. Enable it first if needed.)

Select “Mail” and “Windows Computer” (or your device type).

Google generates a 16-character password. Copy it.

Now configure your email client:

• SMTP server: smtp.gmail.com
• Port: 587
• Security: STARTTLS
• Username: your.email@gmail.com
• Password: Use the 16-character app password, not your regular password

Test the connection. This resolves the error for Gmail users.

Fixing SMTP in Microsoft 365 / Office 365

Microsoft 365 email uses these settings:

• SMTP server: smtp.office365.com
• Port: 587
• Encryption: STARTTLS
• Username: your full email address
• Password: Your Office 365 password

If you have multi-factor authentication enabled, use an app password instead of your regular password.

Generate an app password through your Microsoft account security page, then use that in your email client.

Fixing SMTP Settings in Web Applications and Custom Code

If you’re building an application that sends email, the fix depends on your technology stack.

PHP with PHPMailer

$mail = new PHPMailer(true);
$mail->Host = 'smtp.gmail.com';
$mail->Port = 587;
$mail->SMTPSecure = PHPMailer::ENCRYPTION_STARTTLS;
$mail->SMTPAuth = true;
$mail->Username = 'your-email@gmail.com';
$mail->Password = 'your-app-password';

The critical line is $mail->SMTPSecure = PHPMailer::ENCRYPTION_STARTTLS;. This enables StartTLS. Without it, the error appears.

Node.js with Nodemailer

const transporter = nodemailer.createTransport({
  host: 'smtp.gmail.com',
  port: 587,
  secure: false,
  auth: {
    user: 'your-email@gmail.com',
    pass: 'your-app-password'
  }
});

The key here is secure: false. When port 587 is used with secure: false, Nodemailer automatically uses StartTLS. If you set secure: true, use port 465 instead.

Python with smtplib

import smtplib

server = smtplib.SMTP('smtp.gmail.com', 587)
server.starttls()
server.login('your-email@gmail.com', 'your-app-password')
server.send_message(message)
server.quit()

The server.starttls() line is mandatory. Without it, authentication fails on servers requiring StartTLS.

WordPress Email Configuration

If you’re using WordPress and seeing SMTP errors, install a plugin like WP Mail SMTP.

Go to WP Mail SMTP settings and select your email provider (Gmail, Office 365, or custom SMTP).

Configure these fields:

• SMTP Host: Your provider’s SMTP address
• SMTP Port: 587
• Encryption: TLS
• Username and password

The plugin automatically handles StartTLS when you select TLS as the encryption method.

Troubleshooting When Settings Look Correct

Sometimes all settings appear right, but the error persists.

Check Your Firewall and Network

Port 587 might be blocked on your network. Try port 2525 as an alternative. Most email providers support it.

If port 2525 works, your network is blocking 587. Contact your network administrator.

Try connecting from a different network (phone hotspot, another WiFi) to confirm port blocking. If it works elsewhere, the problem is your local network.

Verify Your SMTP Host Address

Wrong hostnames cause authentication failures. Double-check the exact server address from your email provider’s documentation.

For example:

• Gmail: smtp.gmail.com (not mail.gmail.com)
• Office 365: smtp.office365.com (not outlook.office365.com)
• Zoho: smtp.zoho.com (not mail.zoho.com)

One letter wrong breaks everything.

Confirm Username and Password

Your username is usually your full email address, not just the part before the @.

For app-specific passwords (Gmail, Office 365), remove all spaces and use exactly what the provider generated.

Test your credentials by logging into webmail. If you can’t log in there, the error persists in your email client.

Check Firewall Software on Your Computer

Antivirus or security software sometimes blocks email connections. Temporarily disable your firewall and test.

If email works with the firewall off, your security software is interfering. Add an exception for your email client or adjust outgoing port rules.

Look for Special Characters in Your Password

If your password contains special characters, verify it’s entered correctly. Spaces, quotes, and ampersands can cause problems.

If password entry is problematic, change your password to something simpler (letters and numbers only), then test.

SMTP vs. IMAP: Know the Difference

IMAP handles receiving emails. SMTP handles sending. Confusion between these causes needless troubleshooting.

If you see “StartTLS required” specifically, it’s about SMTP (sending). Your receiving settings (IMAP) are separate.

IMAP also uses StartTLS often, but on port 993 (implicit SSL) or port 143 (StartTLS). Check both sending and receiving settings if your email account isn’t fully working.

What StartTLS Provides and Why It Matters

StartTLS encrypts data between your client and the SMTP server. It prevents:

• Password theft from network interception
• Email content being read in transit
• Attackers spoofing your identity

It’s not optional on modern infrastructure. Using unencrypted SMTP is like sending postcards through the mail instead of sealed envelopes. Anyone handling them can read the contents.

Servers enforce this requirement to protect themselves and their users. Allowing unencrypted credentials creates security vulnerabilities. Most email providers simply refuse unencrypted connections.

Summary

The “StartTLS is required to send email” error means your SMTP settings are missing encryption configuration.

Quick fix:

1. Use SMTP port 587
2. Enable StartTLS (not SSL)
3. Verify the correct hostname
4. Use your full email as username
5. Generate an app password if your provider requires it
6. Test the connection

For each platform:

• Outlook: Account Settings > Change > Set port to 587, encryption to STARTTLS
• Thunderbird: Account Settings > Outgoing Server > Port 587, StartTLS
• Gmail: Use app password, smtp.gmail.com, port 587, STARTTLS
• Office 365: smtp.office365.com, port 587, STARTTLS
• Web apps: Use code examples above for your framework

If settings are correct but the error persists, check port blocking, firewall rules, and verify your password with webmail login.

This error is entirely fixable. It’s a configuration issue, not a account problem. Take these steps in order and your email will send.

FAQs

What’s the difference between StartTLS and SSL?

StartTLS upgrades an unencrypted connection to encrypted (port 587). SSL/TLS starts encrypted from the beginning (port 465). Both are secure. Your email provider specifies which one to use.

Can I use port 25 to avoid this error?

Port 25 is designed for server-to-server mail and is often blocked for client connections. Most ISPs and hosting providers block it. Port 587 is the proper standard for email clients and always requires StartTLS.

Why does Gmail require an app password?

Gmail’s security policy prevents third-party apps from using your main password. App passwords are single-use tokens that only grant mail access. It protects your account if a third-party app is compromised.

Do I need StartTLS if I’m on a private network?

Yes. StartTLS protects credentials even on private networks. Someone with network access could still intercept unencrypted traffic. Use it regardless of your network type.

My email worked before, now this error appears. What changed?

Your email provider likely upgraded their security requirements and disabled unencrypted connections. Update your client settings to use port 587 and StartTLS. Older SMTP configurations are no longer supported.