Troubleshooting and Resolving "535 Authentication failed: The provided authorization grant is invalid, expired, or revoked"

This SMTP status code can occur for several reasons when sending SMTP mail. 

Checklist:

  1. Verify that you are connecting to the hostname "smtp.sendgrid.net". This informs your SMTP mail program to use SendGrid for SMTP connections.
  2. Ensure that you are sending mail through your SendGrid account with a valid Sender Authentication configured on your account. This instructs the SMTP integration software to use a specific SendGrid account.  Configure a valid API key with full permissions to use as your SMTP Authentication on your SendGrid account.   
  3. In your SMTP integration software, ensure that you specify the Username as apikey and the Password would be the actual full 69 character API key (non-encoded).
  4. Use a valid outbound SMTP port.  SMTP TLS ports that can be used are: 587, 25, or 2525.  Select specify "SSL" if you are required to use an HTTPS port which is port 465. 
  5. Verify that any API SendGrid dependent libraries used for API or SMTP are at the latest versions according this documentation.
  6. Ensure that your SMTP client software and dependent software supports TLS 1.2 or higher or the SMTP connection can fail with the 535 SMTP error.  If an SMTP connection is using TLS 1.0 or 1.1 the connection will not reach our servers and our servers will not log the failed request.
  7. Review the documentation here to confirm your SMTP software supports TLS 1.2 or higher. 

Troubleshooting:

  1. Use Telnet to test your SMTP connection to confirm that the SMTP is working outside of your SMTP mail integration software.  Review this article on how to use Telnet to test SMTP connections.  If the connection is successful you will receive a 200K.
  2. Ensure that your ISP, machine hardware or software isn't blocking the SMTP ports: 25, 2525, 587, or 465 used for the SMTP connection.  For example: Proxy servers, firewalls, security threat detection programs, hardware routers or switches configured on the SMTP client side or on the network may block ports from being used for your SMTP connection. 
  3. Use OpenSSL from your local machine to test that the SMTP connection is successful using TLS 1.2 or higher as in this example.
    # Port 25 startTLS 
    openssl s_client -connect tls12.smtp.sendgrid.net:25 -starttls smtp -tls1_2
    
    # Port 465 SSL 
    openssl s_client -connect tls12.smtp.sendgrid.net:465 -tls1_2
  4. If your SMTP software is using TLS 1.2, there can be other depending software such as Microsoft .NET that the SMTP software depends on for the SMTP software to support TLS 1.2.  This includes SendGrid helper libraries in use is dependent on the .NET framework. If the dependent software does not support TLS 1.2 or higher or is not configured to disallow TLS 1.0 or 1.1 connections, the SMTP mail send can also fail with the 535 error.  Review this url to ensure you are using the latest .NET software that is configured to support TLS 1.2 or higher. 
  5. A browser based SMTP test software that supports TLS 1.2 or greater can be used to isolate whether the issue is due to the SMTP integration software not supporting or configured to support TLS 1.2 including dependent software.  SMTP connections will always start as unencrypted.  However in the output below, the SMTP connection initiates with starttls so that the email conversation is encrypted.  This tool is only one example as there are many other SMTP test tools :https://www.gmass.co/smtp-test.

     

    Connected to smtp://smtp.sendgrid.net:587/?starttls=when-available (http://smtp.sendgrid.net:587/?starttls=when-available)

    << 220 SG ESMTP service ready at geopod-ismtpd-4

    >> EHLO [172.31.11.248]

    << 250-smtp.sendgrid.net (http://250-smtp.sendgrid.net)

    << 250-8BITMIME

    << 250-PIPELINING

    << 250-SIZE 31457280

    << 250-STARTTLS

    << 250-AUTH PLAIN LOGIN

    << 250 AUTH=PLAIN LOGIN

    >> STARTTLS

    << 220 Begin TLS negotiation now

    >> EHLO [172.31.11.248]

    << 250-smtp.sendgrid.net (http://250-smtp.sendgrid.net)

    << 250-8BITMIME

    << 250-PIPELINING

    << 250-SIZE 31457280

    << 250-STARTTLS

    << 250-AUTH PLAIN LOGIN

    << 250 AUTH=PLAIN LOGIN

    >> AUTH PLAIN AGFwaWtleQBTRy5uczJ3UTlrYlFtR1hBTURnRjd3MjdnLjlFLVl1Ni1SaXBZN2RiYk5lVGRpWkFydl9DaDk0b2FnMnA4OGFRUzh1UEU=

    << 235 Authentication successful

    >> MAIL FROM:<test@mydomain.com (mailto:test@mydomain.com)> SIZE=568

    >> RCPT TO:<sendgridtesting@gmail.com (mailto:sendgridtesting@gmail.com)>

    << 250 Sender address accepted

    << 250 Recipient address accepted

    >> DATA

    << 354 Continue

    >> From: test@mydomain.com (mailto:test@mydomain.com)

    >> Date: Thu, 03 Aug 2023 01:59:48 퍍

    >> Subject: SMTP test from smtp.sendgrid.net (http://smtp.sendgrid.net)

    >> Message-Id: <JXGH2E2IMKU4.AQZ842GAHVLD3@WIN-AUIR3RRGP88>

    >> To: sendgridtesting@gmail.com (mailto:sendgridtesting@gmail.com)

    >> MIME-Version: 1.0

    >> Content-Type: multipart/alternative; boundary="=-lAXjw3AAGUUngkDa=="

    >>

    >> --=-lAXjw3AAGUUngkDa==

    >> Content-Type: text/plain; charset=utf-8

    >>

    >> Test message

    >> --=-lAXjw3AAGUUngkDa==

    >> Content-Type: text/html; charset=utf-8

    >> Content-Id: <JXGH2E2IMKU4.J20LRCMUZZQR3@WIN-AUIR3RRGP88>

    >>

    >> <b>Test message</b>

    >> --=-lAXjw3AAGUUngkDa==--
  6. Please note that troubleshooting SMTP integration software and dependency software is out of the scope of Twilio SendGrid product support.  The troubleshooting steps above will help you isolate the issue and engage the appropriate support vendors to assist in resolving the SMTP connection error.

References: 

Integrating With The SMTP API

SMTP Errors And Troubleshooting

Support For TLS 1.2

What is StartTLS? 

Transport Layer Security (TLS) Best Practices with the .NET Framework

 

 

 

 

Have more questions? Submit a request