Fixing Gmail's recent POP3 "Logon failure: unknown user name or bad password" error
Gmail has long had a feature to 'check email from other accounts'. This can be extremely convenient if you have multiple email accounts, perhaps over various different email providers, but want to manage them all in one inbox.
Usually, this can be set up using POP3, and Gmail will seamlessly fetch messages from the remote email inbox periodically in the background.
Recently, this feature may have stopped working for some users. In my case, it was with an Outlook.com account – which had previously worked for years without any issues! It may have only happened occasionally at first, but is now permanent. Here are some examples of specific error messages you may be seeing:
Cause
POP3 is a protocol for listing, retrieving, and/or deleting messages from a mailbox. One of the most popular and simplest methods of authenticating against a POP3 server is using a simple username-password scheme (basic authentication) – and usually, these credentials are passed to the server on every request.
This authentication method raises the attack surface, and is generally considered to be less secure. Even with TLS, which encrypts the credentials in transit, the client often still needs to have access to the plaintext credentials to be able to send them to server every time it needs to check. Similarly, providers like Microsoft and Gmail offer 'app passwords' intended to be randomly generated passwords specific to one app – but nothing actually prevents those credentials from being reused with multiple services!
In the specific case of Gmail authenticating with Microsoft's email services, this stopped working recently because Microsoft have disabled Basic Authentication on all accounts since 16th September 2024. Furthermore, some accounts and/or authentication attempts will have experienced failures whilst the change was being gradually rolled out – this explains why some people may have occasionally experienced the issue in the past few months, but only recently faced a complete authentication failure.
Microsoft now mandate the use of Modern Authentication. This is a method of authentication based on OAuth 2.0 (where Microsoft will issue short-lived access tokens to clients, who can use this when authenticating with the mail server).
You can see this reference direct from Microsoft for more details:
Note: Microsoft have actually been planning this change since at least July 2018 – with gradual increases to the scope over time.
Solution: Gmailify
Since 2016, Gmail has supported a special method of connecting to accounts from some specific providers, called Gmailify. This is primarily available when connecting to an email account from Yahoo, AOL, or Outlook (or Hotmail).
This method supports Modern Authentication – if you try to link to an account using this, you will be prompted with the email provider's OAuth screen, where you can grant Gmail access to sync your emails.
To set Gmailify up, you can follow the "add an email account" option in Settings>Account and Import. Once you've entered your remote email address, you should see a screen like this, if the mail provider is supported by Gmailify:
Caveats / Cautions
Gmailify works a bit differently compared to the POP3 flow described earlier. Here are a few things to bear in mind – otherwise they may come as a shock!
-
Emails fetched from Gmailify don't support Gmail's auto-filtering/labelling. Whereas previously, emailed fetched via POP3 would be handled by any rules you may have setup, this will no longer work.
The best alternative is probably to use Google Apps Script to replicate your labelling logic in JavaScript, and set the script to run on a frequent schedule. This can be as simple (a few lines of code) or complex as you like; you may find you prefer being able to make more nuanced filters via code.
-
Gmailify explicitly creates a link between your accounts. That means if you delete an email on your provider's side (e.g., through Outlook.com), it will also be deleted in your Gmail inbox – and vice versa.
This is different to when emails are fetched via POP3, where there is only a one-way sync from the remote mailbox to Gmail.
There is also the potential for a significant storage increase in your Gmail inbox. For example, if you have had years of emails that were fetched via POP3, and deleted in Gmail, but not in the remote mailbox, they will now re-appear in your Gmail inbox; this may lead to you exceeding your Google account storage threshold! You may need to spend some time clearing this out.
-
All Gmail features are supported, but may be reflected differently in your remote mailbox.
For example, if you snooze an Outlook.com email in your Gmail inbox, you might see it be marked as archived in Outlook. Or, if you star an email in your Gmail inbox, it might be shown as flagged in Outlook. This is because Gmail creates some 'best' mapping of its own features.
Similarly, folders/labels are synced bi-directionally between Gmail and the other mail provider. For example, if you have a label in Gmail called External emails, a folder of the same name will be created in Outlook.com.
Deleted emails also respect the auto-deletion policy of the corresponding mailbox. For example, an email sent directly to your Gmail email address, will stay in the Bin for 30 days by default. However, emails sent to your remote email address, even if they are deleted within Gmail, will only be auto-deleted after the remote mailbox's deletion policy (e.g., 60 days).
-
You can only link one mail account with Gmailify at a time.
This means, if you had previously been fetching email from multiple mailboxes using POP3 Basic Authentication, you will still need to use an alternative solution after linking the first one with Gmailify (see below for some suggestions).
If any of these are deal-breakers, you may need to consider other solutions; such as setting up auto-forwarding from your remote mailbox, or using a different client app (which supports Modern Authentication) to combine your emails into one inbox.
Modern Authentication seems like a step in the right direction for security, and it is likely that most of the common email providers will (or already have) enforce such a change soon – so it's best to get ahead with preparation for the migration now!
Please feel free to post in the comments if you notice something wrong, or have come across any other solutions for this issue!