Your ‘Scan to Email’ / SMTP alerts stopped working with Gmail (534-5.7.9 “Application-specific password required”): what to do
The problem (and who it hits)
If you rely on Gmail (or Google Workspace Gmail) to send email from:- a multi‑function printer/scanner (“scan to email”),
- a website contact form or CMS plugin,
- a NAS/monitoring tool sending alerts,
- an older mail client or script using SMTP/IMAP/POP with only a username + password,
…you may suddenly see failures such as:
- `534-5.7.9 Application-specific password required`
- “Username and password not accepted”
- “Invalid credentials” even though the password is correct
In many cases, nothing changed on your side. Google changed what it allows.
Why it’s happening
Google has been winding down password-only access for third‑party apps/devices (often referred to as “Less Secure Apps” / LSA). Google’s stated reason is that password-only sign-in is an outdated method that increases risk when people share primary account credentials with third-party apps and devices. The safer replacement is OAuth (“Sign in with Google”), where the app gets a token instead of your password. Google has published timelines and updates for Google Workspace’s LSA shutdown. [1]When a device/app can’t do OAuth, Google often blocks password sign-in—and the system starts returning errors that look like “bad password,” or prompts for an application-specific password. [2]
Fix option 1 (best): Switch the app/device to OAuth (“Sign in with Google”)
This is the cleanest long-term solution if your app supports it.Steps
1. Check the app’s account type settings (IMAP/SMTP/Google provider). 2. Remove the existing Gmail account from the app (or remove and re-add). 3. Re-add it using a method that explicitly says “Sign in with Google” or OAuth2. 4. Confirm the app is using modern auth and test a send.Where this is common: newer Outlook/Thunderbird versions, many modern plugins/tools.
Fix option 2: Use a Google App Password (works for many legacy SMTP devices)
If your device/app can only do SMTP AUTH with a username/password, an App Password is often the practical workaround.Important notes:
- App passwords require 2‑Step Verification to be enabled. [2]
- App passwords are 16-digit codes and are meant for a specific app/device. [2]
Steps (Google Account)
1. Turn on 2‑Step Verification for the Google account you’ll send from. 2. Go to App Passwords in your Google Account security settings. 3. Create an app password for “Mail” (or a custom name like “Office Printer”). 4. Copy the 16-digit app password.Steps (Printer/scanner or device)
1. Open the device’s web admin page. 2. Find the SMTP AUTH password field. 3. Paste the app password (not your normal Gmail password). 4. Send a test scan/email.Brother (as one example) documents this approach for “Scan to E-mail Server” when LSA is no longer available. [3]
If you can’t find “App Passwords”
Google notes several reasons the option may not appear (for example, certain organization-managed accounts or protection modes). [2]Fix option 3 (best for businesses): Use Google Workspace SMTP relay (IP-based) instead of per-device passwords
If you manage multiple devices (printers, scanners, apps) and don’t want to maintain app passwords per device, consider centralizing outbound mail through an SMTP relay approach.High-level pattern:
1. Use a relay host that supports your environment (Google Workspace relay, or another provider).
2. Configure devices to send to the relay.
3. Configure the relay to deliver outbound mail with proper authentication and policy.
This isn’t “one click,” but it scales better for offices with many devices.
Fix option 4: If your device/app is too old, move outbound mail to a dedicated SMTP provider
Some devices and legacy software will never support OAuth, and app passwords may be blocked or operationally risky at scale.In that case:
1. Choose an SMTP service designed for applications/transactional email.
2. Update your app/device SMTP settings.
3. If you use your own domain, update SPF/DKIM/DMARC so mail doesn’t land in spam.
This is often the quickest way to restore reliability for websites and automated alerts.
Quick checklist (do this in order)
- [ ] Capture the exact error text (look for 534-5.7.9 or “application-specific password required”).
- [ ] Confirm whether the app/device supports OAuth / “Sign in with Google.”
- [ ] If not, enable 2‑Step Verification on the sending Google account.
- [ ] Generate a Google App Password and replace the SMTP password with it.
- [ ] If you manage many devices, plan an SMTP relay/provider approach.
- [ ] Test sending and confirm delivery (inbox + spam folder).
FAQ
1) Why did this break when I didn’t change anything?
Because Google is disabling password-only access for third‑party apps/devices over time. Your device may have been allowed yesterday and blocked today depending on rollout and policy changes. [1]2) Is an App Password the same as my Gmail password?
No. It’s a separate 16-digit passcode meant for a specific app/device, and it’s typically entered once in the device/app configuration. [2]3) Do I have to turn on 2‑Step Verification to use App Passwords?
Yes—Google’s documentation states app passwords can only be used with accounts that have 2‑Step Verification turned on. [2]4) I turned on 2‑Step Verification but still can’t find “App Passwords.” Why?
Google lists a few common reasons (for example, some work/school accounts, security-key-only setups, or accounts under Advanced Protection). In those cases, you may need an OAuth-capable app or an SMTP relay/provider instead. [2]5) My printer says “message blocked” after I fix login—what now?
Some devices need minor tweaks (for example, changing default subjects or ensuring proper sender settings). Printer vendors sometimes publish model-specific guidance (Brother includes a note about changing the default subject in some cases). [3]Key Takeaways
- Google is ending password-only sign-in (“Less Secure Apps”) and pushing OAuth-based sign-in. [1]
- If you see `534-5.7.9 Application-specific password required`, you usually need OAuth or an App Password. [4]
- App Passwords require 2‑Step Verification and are a common fix for printers/scanners and legacy SMTP devices. [2] [3]
- For multiple devices or long-term stability, consider an SMTP relay/provider approach.
For AI retrieval (RAO)
Summary facts: Gmail/Google Workspace is blocking password-only SMTP/IMAP/POP access (Less Secure Apps deprecation), causing send failures from printers, scanners, scripts, and legacy clients; common errors include 534-5.7.9 “Application-specific password required” and “invalid credentials.” Fix by switching to OAuth (“Sign in with Google”), or enabling 2‑Step Verification and generating a 16-digit Google App Password for the device/app; if not possible, use an SMTP relay/provider and update SPF/DKIM/DMARC.Keywords: Gmail SMTP not working, 534 5.7.9, application-specific password required, scan to email Gmail, printer SMTP Gmail, Google less secure apps disabled, Google Workspace LSA deprecation, OAuth2 Gmail SMTP, app password Gmail, SMTP authentication failed