What 535 Authentication failed Means
535 is a permanent rejection of the AUTH command. The credentials you supplied — typically username + password via AUTH LOGIN or AUTH PLAIN — didn't match what the receiver expects. Per RFC 4954, this is the canonical 'wrong credentials' response.
Your own outbound mail server when your sending platform's stored SMTP credentials are wrong. Rarely from recipient MX servers since most don't require AUTH.
Wrong password; correct password but a hidden character (newline, space) corrupting it; account locked after repeated bad attempts; or the username format expected by the server doesn't match what's stored (e.g. server expects 'user@domain.com' but platform sent just 'user').
How to Fix 535 Authentication failed
- 1
Re-enter the password manually
The single most common cause of 535 is a corrupted password copy-paste — invisible characters, trailing newlines, or quoted characters from spreadsheet exports. Open your sending platform's mailbox settings and re-type the password from a clean source.
- 2
Verify the username format
Most mail servers expect the username to be the full email address (e.g. john@example.com). Some legacy servers expect just the local-part (john). Check your mail server's auth-format requirement and ensure the sending platform matches.
- 3
Check for account lockout
Many mail servers temporarily lock accounts after several failed AUTH attempts. If your sending platform retried with bad creds, the account may be locked even after you fix the password. Wait 15-30 minutes and retry, or unlock via the server's admin interface.
- 4
Verify the port + TLS combination
Port 587 with STARTTLS is the standard submission setup. AUTH LOGIN/PLAIN sends credentials in base64 (not encrypted) — without TLS, well-configured servers refuse AUTH and return 535 as a security measure. Use 587 + STARTTLS.
- 5
If using ColdRelay credentials — re-fetch from dashboard
ColdRelay's dashboard has the canonical credentials for each mailbox. If you copy-pasted from an old CSV, re-download from Mailboxes → Export. The dashboard also shows the exact SMTP host, port, and username for each mailbox.
References
535 Authentication failed in the Cold Email Context
535 is a setup-time error in cold email — once mailbox credentials are correct in your sending platform, 535 doesn't recur. The friction case is the initial connection of 50-1,000 mailboxes to a platform like Instantly or Smartlead — pasting credentials manually for that many mailboxes risks transcription errors. ColdRelay's API integrations (with Instantly v2 and Smartlead) push credentials directly from provisioning, eliminating the manual-paste step entirely. The CSV export is also formatted for one-shot import into platforms that accept bulk CSV uploads.
Frequently Asked Questions
Is 535 the same as 530?
Close but different. 530 = auth is required but you didn't attempt it. 535 = you attempted auth but the credentials failed. Both are permanent; the fix is similar (verify credentials in your sending platform).
Can a password reset fix 535?
If you've lost the password, yes — reset it via your mail server's admin interface and update the sending platform. If the password is correct but 535 persists, the issue is format or account lockout, not the password itself.
Why does AUTH fail without TLS?
AUTH LOGIN and PLAIN transmit credentials in base64 (essentially plaintext to anyone sniffing). Well-configured mail servers refuse these mechanisms without TLS — returning 535 or 538. Always use port 587 with STARTTLS, or port 465 with implicit SSL.
How many failed attempts trigger lockout?
Depends on the server. Many configurations lock after 3-5 failed attempts within a 5-minute window. The lockout typically lasts 15-60 minutes. Check your specific server's policy or wait and retry.