RFC 4954: SMTP AUTH Extension

Standards Track Email Authentication Published July 2007 Obsoletes RFC 2554

ELI5: Imagine a post office where anyone can walk in and drop off mail claiming to be from anyone. Chaos, right? SMTP AUTH is the ID check at the counter. Before you hand over your mail, you prove who you are — username, password, the works. Only after the clerk verifies your identity can you submit your message. Without AUTH, SMTP is an open door for abuse.

Why This Exists

Original SMTP (RFC 5321) had no concept of sender authentication. Any client could connect to any server and send mail as anyone. This design worked in the early internet where all participants were trusted, but it became the foundation of the spam problem.

RFC 4954 defines the AUTH extension to SMTP, providing a standardized way for clients to authenticate with a mail server before submitting messages. It uses the SASL (Simple Authentication and Security Layer) framework, allowing multiple authentication mechanisms to be plugged in without changing the SMTP protocol itself.

This RFC obsoleted RFC 2554 (1999), fixing security issues and clarifying the interaction between AUTH and other SMTP extensions like STARTTLS.

How It Works

The AUTH Negotiation

The client connects and issues EHLO.
The server advertises 250-AUTH followed by a list of supported SASL mechanisms.
The client picks a mechanism and sends AUTH <mechanism>, optionally with an initial response.
The server and client exchange one or more challenge/response rounds (mechanism-dependent).
The server responds with 235 (authentication successful) or 535 (authentication failed).

SMTP Transcript: AUTH PLAIN

The PLAIN mechanism sends credentials in a single Base64-encoded string containing the authorization identity, authentication identity, and password:

# Connect and discover capabilities S: 220 smtp.mailertogo.com ESMTP C: EHLO app.example.com S: 250-smtp.mailertogo.com S: 250-STARTTLS S: 250-AUTH PLAIN LOGIN XOAUTH2 S: 250-SIZE 26214400 S: 250 ENHANCEDSTATUSCODES # Upgrade to TLS first (always before AUTH) C: STARTTLS S: 220 2.0.0 Ready to start TLS # ... TLS handshake ... re-EHLO required C: EHLO app.example.com S: 250-smtp.mailertogo.com S: 250-AUTH PLAIN LOGIN XOAUTH2 S: 250 ENHANCEDSTATUSCODES # Authenticate with AUTH PLAIN # Base64 of "\0alice@example.com\0secretpassword" C: AUTH PLAIN AGFsaWNlQGV4YW1wbGUuY29tAHNlY3JldHBhc3N3b3Jk S: 235 2.7.0 Authentication successful # Now authorized to submit messages C: MAIL FROM:<alice@example.com> S: 250 2.1.0 OK

SMTP Transcript: AUTH LOGIN

The LOGIN mechanism uses a separate challenge/response for username and password:

C: AUTH LOGIN S: 334 VXNlcm5hbWU6 ← Base64 of "Username:" C: YWxpY2VAZXhhbXBsZS5jb20= ← Base64 of "alice@example.com" S: 334 UGFzc3dvcmQ6 ← Base64 of "Password:" C: c2VjcmV0cGFzc3dvcmQ= ← Base64 of "secretpassword" S: 235 2.7.0 Authentication successful

SMTP Transcript: AUTH Failed

C: AUTH PLAIN AGJhZEBleGFtcGxlLmNvbQB3cm9uZw== S: 535 5.7.8 Authentication credentials invalid # Client MUST NOT attempt to send mail after a 535

Key Technical Details

SASL Mechanisms

RFC 4954 does not define authentication mechanisms directly. It provides the framework; mechanisms come from the SASL registry. The most commonly used ones in SMTP:

Mechanism	How It Works	Security Notes
`PLAIN`	Single Base64 string: `\0authzid\0password`	Simple, widely supported. Must only be used over TLS.
`LOGIN`	Two-step challenge/response for username and password	Non-standard but ubiquitous. Must only be used over TLS.
`XOAUTH2`	OAuth 2.0 bearer token in a formatted string	No password transmitted. Token-based, used by Gmail and Microsoft 365.
`SCRAM-SHA-256`	Salted challenge/response with channel binding	Password never sent, even hashed. Mutual authentication. Best security but limited adoption in SMTP.
`CRAM-MD5`	Challenge/response with MD5 HMAC	Deprecated. MD5 is considered weak. Avoids sending the password but does not protect against replay attacks.

The AUTH PLAIN Credential Format

The PLAIN mechanism encodes three fields separated by null bytes (\0), then Base64-encodes the result:

# Format: [authzid] \0 authcid \0 password # authzid = authorization identity (usually empty or same as authcid) # authcid = authentication identity (the username) # password = the plaintext password # Example: authzid empty, authcid "alice@example.com", password "s3cret" \0alice@example.com\0s3cret # Base64 encoded: AGFsaWNlQGV4YW1wbGUuY29tAHMzY3JldA==

The Initial Response Optimization

RFC 4954 allows the client to send the initial SASL response on the same line as the AUTH command (as shown in the PLAIN example above). This saves one round-trip compared to the older two-step approach where the server first sends an empty challenge. For mechanisms like PLAIN where the client speaks first, this optimization is standard.

Interaction with STARTTLS

RFC 4954 strongly recommends that servers not advertise AUTH until after TLS is established. This prevents clients from accidentally sending credentials in cleartext. The typical flow is:

Connect → EHLO → server advertises STARTTLS but not AUTH
STARTTLS → TLS handshake
EHLO again → server now advertises AUTH (STARTTLS no longer listed)
AUTH → submit messages

Response Codes

Code	Meaning
`235`	Authentication successful
`334`	Server challenge (continuation of the SASL exchange)
`432`	Password transition needed (server requires a password change)
`454`	Temporary authentication failure (try again later)
`500`	AUTH command not recognized (server does not support AUTH)
`534`	Authentication mechanism too weak (server requires a stronger mechanism)
`535`	Authentication credentials invalid

AUTH and MAIL FROM Identity

After successful authentication, the server associates the connection with the authenticated identity. The MSA can then enforce that the MAIL FROM and header From: addresses match (or are authorized for) the authenticated user. This prevents authenticated users from spoofing arbitrary sender addresses.

Common Mistakes

Sending AUTH before STARTTLS. If the server advertises AUTH on a cleartext connection (some misconfigured servers do), your credentials still travel in the clear. Always establish TLS before authenticating. With implicit TLS on port 465, this is automatic.
Confusing Base64 encoding with encryption. Base64 is an encoding, not encryption. AUTH PLAIN sends credentials in a trivially decodable format. The protection comes from the TLS layer, not from Base64.
Not handling 535 errors. A failed AUTH means the server rejected your credentials. Retrying the same credentials in a loop will get your IP rate-limited or blocked. Check the credentials and fail gracefully.
Hardcoding AUTH LOGIN when PLAIN is available. LOGIN is a non-standard mechanism with inconsistent implementations. If the server supports PLAIN, prefer it. If it supports XOAUTH2 or SCRAM, prefer those.
Not re-issuing EHLO after STARTTLS. The capability list changes after TLS is established. AUTH may only appear in the post-TLS EHLO response. Skipping the second EHLO means your client never discovers AUTH support.
Ignoring the initial response optimization. Sending AUTH PLAIN without the inline credentials forces an unnecessary extra round-trip. Most modern servers support the initial response.
Using CRAM-MD5 for "security." CRAM-MD5 avoids sending the plaintext password, but it uses MD5 (broken), does not protect against replay attacks, and requires the server to store the password in a recoverable form. PLAIN over TLS is strictly superior.

Deliverability Impact

Required for message submission. Every modern email service requires SMTP AUTH for submission (RFC 6409). Without authentication, the server will reject your messages with a 530 (authentication required) response.
Enables sender identity binding. Authentication ties each message to a known account. This lets the email service enforce sending policies, apply DKIM signatures, and track reputation per authenticated sender.
Prevents open relay abuse. By requiring authentication before accepting messages for delivery, servers avoid being exploited as open relays — which would quickly result in IP blacklisting and delivery failure for all users on the server.
OAuth2 for modern integrations. Services like Gmail and Microsoft 365 are deprecating password-based AUTH in favor of XOAUTH2. Migrating to token-based authentication avoids service disruptions when basic auth is disabled.
Rate limiting and abuse prevention. Authenticated sessions allow per-user rate limiting. If one account is compromised, the service can throttle or disable that account without affecting other senders on the same infrastructure.