Google announced they are deprecating basic SMTP AUTH. This guide will go over what this change means and how it will affect scanning with MFPs in a business environment and outlines replacement options such as unauthenticated mail relay and configuring OAuth for outbound mail.
What is SMTP AUTH?
SMTP AUTH is a process that allows only authorized users to send email to an SMTP server. It’s a mechanism built into the SMTP protocol that requires the user to authenticate before sending messages, in this context, it would be the MFP emailing scanned documents (PDFs) via SMTP. The MFP connects to the SMTP server, provides the credentials (username and password), and the server checks the credentials against its database of authorized users. If authentication is successful, the SMTP server allows email to be sent. If authentication fails, the server rejects the request.
Why does SMTP AUTH matter to me?
Many companies use SMTP AUTH to authenticate to their email server, which allows the MFP to send scanned documents to email destinations.
Am I affected by this change?
Companies that use BASIC AUTH with Google Workspace to send email from an MFP are affected by this change. Review the SMTP settings on your MFP, to see how it’s configured.
- SMTP Server is Google, such as
smtp.gmail.com
- Username and password are both entered for SMTP authentication
- Basic Authentication for SMTP may be enabled
NOTE: If you’re using an App-Password, then Google Workspace will allow SMTP authentication (See Option 3 below)
Additionally, you may check your Google Workspace user log events. If you have MFPs authenticating using Basic AUTH, that activity will be listed there.
- Log into the Google Workspace portal: https://admin.google.com/
- Expand “Reporting”, “Audit and Investigation” and select “User log events”, review for some things listed below:
- Login Type: Google password
- IP Address: Compare against your list of MFPs
- If these factors are present, your configuration will be impacted by Google’s changes
What happened as of March 2025?
- Access to less secure apps will be turned off for all Google Accounts
- CalDAV, CardDAV, IMAP, SMTP, and POP will no longer work with legacy passwords (basic authentication)
How will this affect MFP Scan-to-Email?
After Basic Authentication is disabled, devices configured to use this login method will no longer be able to authenticate and send emails, causing the scan job to fail.
Available options in place of SMTP AUTH:
There are options to address this change to SMTP AUTH. Here is an overview of each option, the details are provided further in this guide.
- Option 1 (Recommended): Set up an SMTP Relay through Google Workspace – This option requires no authentication at the MFP level and is secured through TLS and IP-based authentication. Once the relay is configured, the same configuration is used on each MFP.
- Option 2: Implement OAuth-based authentication on each individual MFP – This option requires a compatible MFP (not all MFPs support OAuth) and is configured on each MFP individually, not centrally managed.
- Option 3: Configure an app password for use with the device and apply these settings on the device under the SMTP setup menu.
- Option 4: UBEO offers solutions that eliminate the need for SMTP. Contact our sales team to explore options that fit your needs.
Action Plan:
- Assess whether you’re affected (See Am I affected by this change?)
- If you’re affected, decide which option you will use
- If using Option 1, Unauthenticated mail relay:
- Configure mail relay per instructions below
- Configure MFPs to use mail relay
- If using Option 2, OAuth configuration:
- Assess the MFP models in your environment
- On compatible models, configure OAuth per details below
- If you have any unsupported MFP models, please reach out to your UBEO Account Manager to discuss upgrade options
- If using Option 3, App Password:
- Configure App Password per instructions below
- Configure MFPs to use the App Password for SMTP authentication
- If using Option 4, Contact our sales team to discuss alternative solutions that eliminate the need for SMTP and ensure seamless communication.
Option 1: Unauthenticated Mail Relay (Recommended)
Note on Security: Although this method is listed as “unauthenticated”, it remains secure because the relay is restricted to approved IP addresses, preventing unauthorized use. Messages are only accepted from trusted internal sources, and TLS encryption is used, to ensure that emails remain protected in transit.
Steps for Unauthenticated Mail Relay:
- Obtain the public (static) IP address(es) that the device or application will send from. A dynamic IP address is not supported or allowed. Make a note of this IP address for later. Multiple public static IP addresses are supported.
- Sign in to your Google Admin console (https://admin.google.com/) using your administrator account (does not end in @gmail.com)
- From the Admin console Home page, go to Apps > Google Workspace > Gmail > Routing
- Note: You might find this setting at Apps > Google Workspace > Gmail > Advanced Settings
- On the left, select the top-level organization
- Scroll to the SMTP relay service setting in the Routing section, hover over the setting, and click Configure
- If the setting is already configured, hover over the setting and click Edit or Add another
- For a new setting, enter a unique description.
- In the Allowed senders section, select Only addresses in my domains
- In the Authentication section, select Only accept mail from the specified IP addresses
- Enter the IP addresses recorded in Step 1:
- Click Add IP RANGE
- Enter a description for the IP address or range
- Enter the IP address or range
- Use the Classless Inter-Domain Routing (CIDR) format to enter an IP range (ex: 123.123.123.123.)
- Check the Enabled box to enable this IP address or range
- Click Save
- In the Encryption section check the Require TLS encryption box to require that the communication between your server and Google’s server be TLS encrypted, including the message contents
- Click Add setting or Save
- At the bottom click Save
Option 2: OAuth
OAuth provides modern authentication protocols, offering enhanced security by eliminating the need to store usernames and passwords directly on the devices. Each manufacturer offers specific instructions for enabling OAuth.
Some general guidelines for setting up OAuth:
- Configuration of OAuth authentication requires a mailbox/account in Google Workspace
- This account will be used as the sender for email sent from the MFP
- Obtain OAuth 2.0 credentials from the Google API Console
- Obtain an access token from the Google Authorization Server
- Examine scopes of access granted by the user
- Send the access token to an API
OAuth setup for specific devices:
-
Canon MFP: Canon MFP must be on unified Firmware Platform (uFP) v3.18 or higher. For more support view Canon instructions here.
-
HP MFP: To use OAuth on HP MFPs, please be sure to upgrade your firmware to HP FutureSmart 5.7 or newer.
- Ricoh/Savin/Lanier MFP(s): Currently Ricoh has limited support for using OAuth authentication. An unauthenticated relay (Option 1 above) is recommended for Ricoh MFPs.
- Lexmark MFP: Lexmark printers support OAuth 2.0 authentication starting with the FW24 firmware. For more support view Lexmark instructions here.
- Xerox MFP: Currently Xerox doesn’t support modern authentication like OAuth 2.0. An unauthenticated relay (Option 1 above) is recommended for Xerox MFPs. For more support view Xerox instructions here.
- Sharp MFP: Many of the newer Sharp models do include support for OAuth however older models may not. Please reference the documentation for your model to determine OAuth support. For more support view Sharp instructions here.
- Konica-Minolta MFP: Konica-Minolta has limited support for OAuth using a special firmware GP4-Q6, however detailed information is limited. Using Option 1, an unauthenticated relay would be the best option for Konica-Minolta. OAuth may be supported with production firmware in the future.
Option 3: App Password
Enable 2-Step Verification in your Google Account settings and then generate an app password for the specific app or device.
- Enable 2-Step Verification:
- Go to your Google Account security settings: https://myaccount.google.com/security
- Click on How you sign in to Google and then 2-Step Verification
- Follow the instructions to set up 2-Step Verification, which usually involves adding a phone number or using a security key
- Generate an App Password:
- Once 2-Step Verification is enabled, go back to your Google Account security settings
- Click on App passwords under How you sign in to Google
- Click Generate to create the app password
- Copy and save the generated app password, you won't be able to see it again
Option 4: Non-Device based SMTP scanning solutions
In some cases, device-based SMTP authentication and OAuth are not required. UBEO offers solutions that simplify communication without setting up an email relay or adjust any SMTP settings in your environment. Please reach out to our sales team and learn more about the solutions offered by UBEO Business Services.
Document Scanning Workflow:
Resources
Glossary:
- SMTP: Simple Mail Transfer Protocol
- MX Record: Mail Exchange Record
- GMail: Google Email Server (cloud)
- Mail Connectors: A tool or configuration setting used to enable communication between a multifunction printer (MFP), and an email server.
- MFD / MFP: Multi-Function Device / Multi-Function Printer
- OAuth: An open standard for secure authorization that allows applications to access resources on a server without exposing user credentials. It uses tokens to grant limited access, enhancing security and enabling seamless integration with services like email servers.
- Relay: The process of forwarding email through an SMTP server, often used to route messages securely from devices like MFPs to recipient mail servers.
- Email Domain: The part of an email address after the "@" symbol, representing the mail server handling the email (e.g., gmail.com)
Support & Reference Links: