Skip to main content

Configuring SMTP for sending emails

Log in to add to favourites

Page last updated 03 July 2026

Contensis sends emails such as workflow notifications, form submissions, password resets, and other system messages through an SMTP server that you configure. This guide explains each of the SMTP settings, how they work together, and the most common configurations.

All settings described here are found in the Management Console under Global Settings.

Sending from your own email domain

By default, Contensis is configured to send email through Zengenti's SMTP server (EmailSMTPHost is set to smtp.zengenti.com), with From addresses on the contensis.com domain, typically no-reply@contensis.com. This combination works out of the box: contensis.com authorises Zengenti's mail servers, so the emails pass the sender checks (SPF/DMARC) that receiving mail servers perform.

That authorisation is also why you can't simply change the From address to your own domain. If you set a notification's From address to an address on your own domain (e.g. cms@example.com) while still sending through Zengenti's server, receiving mail servers will see email claiming to be from your domain but sent from servers your domain hasn't authorised. The messages will fail SPF and DMARC checks, and most providers, including Google and Microsoft, will quarantine or reject them. Your notifications may simply never arrive.

To send emails from your own domain, configure Contensis to use your own SMTP server by changing EmailSMTPHost and the related settings described in this guide. For example:

  • If your organisation uses Microsoft 365, point Contensis at smtp.office365.com with OAuth2 authentication. See Setting up OAuth2 SMTP authentication for Microsoft 365.
  • Otherwise, use your own mail server or a transactional email service that provides SMTP access, with the appropriate encryption and authentication settings below.

If you don't need emails to come from your own domain, you can leave the default configuration in place.

How the settings fit together

There are two independent decisions to make when configuring SMTP:

  1. How to connect: the host, port, and whether the connection is encrypted.
  2. How to authenticate: anonymously, with a username and password, or with OAuth2.

The settings for each are described below, followed by a full settings reference and common configurations.


Connection settings

Host and port

SettingPurpose
EmailSMTPHostThe hostname or IP address of your SMTP server, e.g. smtp.office365.com.
EmailSmtpPortThe port to connect on. The correct port depends on the encryption mode you choose (see below).

Encryption

Two settings control whether the connection to your SMTP server is encrypted, and how:

SettingEncryption modeTypical port
EmailSmtpUseImplicitSSL = trueImplicit SSL/TLS: the connection is encrypted from the moment it opens ("SSL on connect").465
EmailSmtpUseSSL = trueExplicit SSL/TLS (STARTTLS): the connection starts in plain text and is upgraded to an encrypted connection before any credentials or messages are sent.587
Both falseNo encryption: everything is sent in plain text. Only suitable for trusted internal mail relays.25

Notes:

  • If both settings are true, EmailSmtpUseImplicitSSL takes precedence and implicit SSL is used.
  • Contensis negotiates TLS 1.2 or TLS 1.3; older protocol versions are not supported. If your mail server only supports TLS 1.0/1.1 it will need to be updated.
  • Make sure the port matches the encryption mode. The most common cause of connection failures is a mismatch, for example enabling EmailSmtpUseImplicitSSL while still pointing at port 587, or enabling STARTTLS against port 465.

Authentication

Contensis chooses the authentication method in this order:

  1. OAuth2: used if EmailSmtpUseOAuth2 is true.
  2. Username and password (basic authentication): used if OAuth2 is off and both EmailSmtpUsername and EmailSmtpPassword are set.
  3. Anonymous: if neither of the above applies, Contensis connects without authenticating. This is common for internal mail relays that allow sending from trusted IP addresses.

Username and password (basic authentication)

Set EmailSmtpUsername and EmailSmtpPassword to the credentials for your SMTP account. Both must be set. If either is empty, Contensis will attempt to send anonymously.

You should always combine basic authentication with one of the encryption modes above, otherwise your credentials are sent in plain text.

Note for Microsoft 365 customers: Microsoft has retired basic authentication for SMTP. Username/password authentication against smtp.office365.com no longer works, so you must use OAuth2 instead (see below).

OAuth2

Setting EmailSmtpUseOAuth2 to true switches SMTP authentication to OAuth2. Instead of a mailbox password, Contensis obtains a short-lived access token from your identity provider using the client credentials flow, and presents that token to the SMTP server.

OAuth2 requires an encrypted connection. If EmailSmtpUseOAuth2 is true but neither EmailSmtpUseSSL nor EmailSmtpUseImplicitSSL is enabled, sending will fail with an error.

OAuth2 works in one of two modes, decided by which settings you fill in:

Microsoft 365

If EmailSmtpOAuth2AzureTenantId is set, Contensis authenticates against Microsoft Entra ID for that tenant. This is the correct mode for Microsoft 365 / Exchange Online.

Required settings:

SettingValue
EmailSMTPHostsmtp.office365.com
EmailSmtpPort587
EmailSmtpUseSSLtrue
EmailSmtpUseOAuth2true
EmailSmtpOAuth2AzureTenantIdYour Directory (tenant) ID
EmailSmtpOAuth2ClientIdThe Application (client) ID of your app registration
EmailSmtpOAuth2ClientSecretThe client secret of your app registration

EmailSmtpOAuth2Scope can be left empty. It defaults to https://outlook.office365.com/.default, which is correct for Microsoft 365. EmailSmtpOAuth2TokenEndpoint is ignored in this mode.

Before Contensis can send email this way, an administrator must create an app registration in Microsoft Entra ID and grant it permission to send from your mailbox in Exchange Online. This is covered step by step in Setting up OAuth2 SMTP authentication for Microsoft 365.

Other OAuth2 providers

If EmailSmtpOAuth2AzureTenantId is empty and EmailSmtpOAuth2TokenEndpoint is set, Contensis requests a token directly from that endpoint using the standard OAuth2 client credentials grant. Use this for non-Microsoft providers that support OAuth2 for SMTP.

Required settings:

SettingValue
EmailSmtpUseOAuth2true
EmailSmtpOAuth2TokenEndpointYour provider's token endpoint URL (must be HTTPS)
EmailSmtpOAuth2ClientIdThe client ID from your provider's app registration
EmailSmtpOAuth2ClientSecretThe client secret from your provider's app registration
EmailSmtpOAuth2ScopeThe scope(s) your provider requires, space-separated if more than one

If OAuth2 is enabled but neither EmailSmtpOAuth2AzureTenantId nor EmailSmtpOAuth2TokenEndpoint is set, sending fails with a configuration error.

The OAuth2 username

When authenticating with OAuth2, the SMTP server still needs to know which mailbox is being used. Contensis uses:

  • EmailSmtpUsername, if set (set this to the email address of the sending mailbox); or
  • the From address of the email being sent, if EmailSmtpUsername is empty.

For Microsoft 365 this address must be a mailbox that your app registration has been granted permission to send from. If your emails go out from several different From addresses, each mailbox needs that permission, or you can set EmailSmtpUsername to a single authorised mailbox to use for authentication.


Settings reference

SettingDefaultDescription
EmailSMTPHostsmtp.zengenti.comHostname or IP address of the SMTP server. Defaults to Zengenti's SMTP server. Change this to your own server to send from your own domain.
EmailSmtpPort25Port to connect on. Use 465 for implicit SSL, 587 for STARTTLS, 25 for unencrypted.
EmailSmtpUseImplicitSSLfalseEnables implicit SSL/TLS (SSL on connect). Takes precedence over EmailSmtpUseSSL.
EmailSmtpUseSSLfalseEnables explicit SSL/TLS (STARTTLS).
EmailSmtpUsername(empty)Username for basic authentication. With OAuth2, used as the mailbox to authenticate as.
EmailSmtpPassword(empty)Password for basic authentication. Not used when OAuth2 is enabled.
EmailSmtpUseOAuth2falseSwitches SMTP authentication to OAuth2. Requires one of the SSL/TLS settings to be enabled.
EmailSmtpOAuth2AzureTenantId(empty)Microsoft Entra ID tenant ID. Set for Microsoft 365; leave empty for other providers.
EmailSmtpOAuth2TokenEndpoint(empty)Token endpoint URL for non-Microsoft providers (HTTPS required). Ignored when a tenant ID is set.
EmailSmtpOAuth2ClientId(empty)The Application (client) ID from your provider's app registration.
EmailSmtpOAuth2ClientSecret(empty)The client secret from your provider's app registration.
EmailSmtpOAuth2Scope(empty)Scope(s) to request, space-separated. Optional for Microsoft 365 (defaults to https://outlook.office365.com/.default); usually required for other providers.

Common configurations

Microsoft 365 with OAuth2 (recommended for Microsoft 365)

JavaScript
EmailSMTPHost                  = smtp.office365.com
EmailSmtpPort                  = 587
EmailSmtpUseSSL                = true
EmailSmtpUseImplicitSSL        = false
EmailSmtpUseOAuth2             = true
EmailSmtpOAuth2AzureTenantId   = <your tenant ID>
EmailSmtpOAuth2ClientId        = <your client ID>
EmailSmtpOAuth2ClientSecret    = <your client secret>

Follow Setting up OAuth2 SMTP authentication for Microsoft 365 for the Entra ID and Exchange Online steps.

SMTP relay with username and password over STARTTLS

JavaScript
EmailSMTPHost                  = smtp.example.com
EmailSmtpPort                  = 587
EmailSmtpUseSSL                = true
EmailSmtpUsername              = <username>
EmailSmtpPassword              = <password>
EmailSmtpUseOAuth2             = false

SMTP relay with username and password over implicit SSL

JavaScript
EmailSMTPHost                  = smtp.example.com
EmailSmtpPort                  = 465
EmailSmtpUseImplicitSSL        = true
EmailSmtpUsername              = <username>
EmailSmtpPassword              = <password>
EmailSmtpUseOAuth2             = false

Internal mail relay, no authentication

JavaScript
EmailSMTPHost                  = mailrelay.internal.example.com
EmailSmtpPort                  = 25
EmailSmtpUseSSL                = false
EmailSmtpUseImplicitSSL        = false
EmailSmtpUsername              = (empty)
EmailSmtpPassword              = (empty)
EmailSmtpUseOAuth2             = false

Only use an unencrypted, unauthenticated configuration with a relay on a trusted internal network that permits sending from your Contensis servers' IP addresses.


Troubleshooting

  • "OAuth2 authentication requires TLS": EmailSmtpUseOAuth2 is true but neither SSL setting is enabled. Set EmailSmtpUseSSL to true (or EmailSmtpUseImplicitSSL for SSL-on-connect providers).
  • "OAuth2 is enabled but neither EmailSmtpOAuth2AzureTenantId nor EmailSmtpOAuth2TokenEndpoint is configured": fill in the tenant ID (Microsoft 365) or the token endpoint (other providers).
  • Connection fails or times out: check that the port matches the encryption mode (465 for implicit SSL, 587 for STARTTLS), that a firewall isn't blocking the port, and that your mail server supports TLS 1.2 or later.
  • 535 5.7.3 Authentication unsuccessful (Microsoft 365): usually a permissions issue with the app registration or service principal, or permissions that haven't propagated yet. See the troubleshooting section of Setting up OAuth2 SMTP authentication for Microsoft 365.
  • "Cannot determine OAuth2 username": OAuth2 is enabled, EmailSmtpUsername is empty, and the email has no From address. Set EmailSmtpUsername to the sending mailbox's address.

Still need help?

If you still need help after reading this article, don't hesitate to reach out to the Contensis community on Slack or raise a support ticket to get help from our team.
New support request