Question: How do I set up IMAP on a Google Workspace (Gmail) account?

Explanation: To receive or send email from another application (for example an accounting program, ticketing system, or email client) you often need to set up IMAP. IMAP stands for Internet Message Access Protocol and is used to connect to a mail server, alongside the older POP(3) protocol. The difference: with IMAP messages stay on the server and synchronise across devices, with POP3 they are downloaded and then removed from the server.

Connecting an external application to Gmail can be tricky because IMAP is an old protocol and Google has built extra security around it. Since May 2025, Google Workspace no longer accepts basic authentication (plain username and password) for IMAP, SMTP and POP. You must therefore connect through OAuth 2.0 or via an app password in combination with two-step verification.

info
OAuth or app password, what's the difference?
  • OAuth 2.0 is the recommended method. The application receives a digital token instead of a password, and the user never has to hand over their actual password to the application. Modern clients like Thunderbird, the Mail app on iOS and macOS, and newer versions of Outlook support this out of the box. When adding an account, click 'Sign in with Google' to activate OAuth.
  • App passwords are a fallback option for devices and software that don't support OAuth, such as older printers, scanners, some accounting systems, and older versions of Outlook. An app password is a 16-character code that only works for that one device, and which you can revoke at any time without changing your main password. Two-step verification on the account is required for app passwords.

Solution:

There are three parties involved in setting up IMAP, and something has to happen at each one before the connection works.

1
The Google Workspace administrator enables IMAP for the user
An administrator must enable IMAP access for the user, a group, or an Organizational Unit (OU).

Go to Apps > Google Workspace > Gmail > End User Access in the Google Admin Console and turn on IMAP access for the right OU or for all users.

IMAP setting in Google Workspace Admin Console
warning
After changing this setting it can take up to a few hours before the change is active globally. Only try to connect after that.
2
The user enables IMAP in their own Gmail
The user must also enable IMAP in their personal Gmail settings.
  • Go to Gmail Settings > Forwarding and POP/IMAP, or open Gmail and click the gear icon in the top right, then 'See all settings', then the 'Forwarding and POP/IMAP' tab.
  • Under IMAP access select 'Enable IMAP'.
  • Click 'Save Changes' at the bottom.

After enabling, it can take up to 24 hours before IMAP actually works for the user.

3
The user generates an app password
For applications that don't support OAuth (printers, scanners, older software) you generate an app password.
warning
Two-step verification is required
App passwords are only available when two-step verification (2FA) is enabled on the account. If that's not the case yet, enable it first via Security > 2-Step Verification.
  • Go to myaccount.google.com/apppasswords. Alternatively: click your profile picture in the top right, choose 'Manage your Google Account', then 'Security', and search for 'app password'.
  • Enter a recognisable name for the application or device, for example Thunderbird laptop Anne or Brother printer office. This name helps you identify the password later.
  • Click 'Generate'. The 16-character password now appears once in a yellow box. Save it immediately or paste it straight into the application. Google will never show the password again.
Generating an app password in Google Account
lightbulb
Create a separate app password per device or application. That way you can later revoke a single password (for example when a laptop is lost) without breaking all your other connections.
4
Enter the IMAP and SMTP settings
Use the following details in your email program, printer, or application:
SettingValue
Incoming mail server (IMAP)imap.gmail.com
IMAP port993
IMAP encryptionSSL/TLS
Outgoing mail server (SMTP)smtp.gmail.com
SMTP port587 (STARTTLS) or 465 (SSL)
SMTP encryptionSTARTTLS or SSL/TLS
UsernameFull Google Workspace email address
PasswordApp password from step 3 (or OAuth token for modern clients)
check_circle
Initial test
After setting up, send a test email to yourself and check whether it arrives. If the email doesn't come through, go through each step again to verify that IMAP is enabled at both administrator and user level, and that the app password was entered correctly without spaces.

Setting up for specific devices and programs

info
Printers and scanners (Multifunctional devices)
Many printers and scanners need to email scanned documents. Google recommends two methods:
  • Option 1, SMTP Relay (recommended for printers): Allows the device to send without storing a username or password on the device itself. Authentication runs via IP address and TLS. Configure this in Apps > Google Workspace > Gmail > Routing, scroll to 'SMTP relay service' and set the allowed IP address. On the device, use smtp-relay.gmail.com on port 587 (TLS) without authentication. Limit: 10,000 messages per user per day.
  • Option 2, App password on the device: Use smtp.gmail.com on port 587 with an app password. Limit: 2,000 messages per day. Works for most older printers.

Per brand:

  • Canon (unified Firmware Platform v3.18 or higher): supports OAuth.
  • HP (FutureSmart 5.7 or higher): supports OAuth.
  • Lexmark (FW24 or higher): supports OAuth.
  • Ricoh, Savin, Lanier: limited OAuth support, preferably use SMTP Relay.
  • Xerox: at the time of writing doesn't support OAuth, use SMTP Relay or an app password.
info
Email clients (Outlook, Thunderbird, Apple Mail)
  • Outlook 2019, 2021, Microsoft 365 and the new Outlook: support OAuth. Add the account via 'File > Add Account' and choose 'Sign in with Google' when prompted.
  • Outlook 2016 or older: doesn't support OAuth. Use Google Workspace Sync for Microsoft Outlook (GWSMO) or upgrade to a newer version.
  • Thunderbird: supports OAuth since version 77. Remove existing accounts that still use a password, and re-add them with the 'OAuth2' option under the authentication setting.
  • Apple Mail on macOS and iOS: supports OAuth. Remove the existing Google account and re-add it via 'System Settings > Internet Accounts > Google'.
info
External applications (accounting, CRM, helpdesk)
For systems like Exact, Moneybird, Zoho, HubSpot, Freshdesk and similar tools:
  • First check whether the application offers 'Sign in with Google' or 'Connect Gmail via OAuth', this is always preferred.
  • If OAuth doesn't work, use an app password with the IMAP and SMTP settings from step 4.
  • For outreach or mailing tools (such as Mailchimp, Brevo): IMAP is not the right route. Use the tool's own sending infrastructure instead, and make sure your SPF and DKIM are properly configured.

Common issues and frequently asked questions:

I get the error 'username or password is incorrect'expand_more
This is the most common error. Run through these checks:
  • Did you enter your normal password instead of the app password? Since May 2025 Google rejects this.
  • Has the administrator enabled IMAP for your OU?
  • Did you also enable IMAP in your personal Gmail settings?
  • Is two-step verification enabled on your account? Without 2FA you cannot create an app password.
  • Did you enter the app password without spaces? Google shows it with spaces for readability, but they are not part of the password.
My printer or scanner suddenly cannot send email anymoreexpand_more
This is almost always caused by Google phasing out basic authentication in May 2025. Solutions:
  • Update the printer firmware to a version that supports OAuth (see the per-brand list above) and reconfigure with OAuth.
  • Configure SMTP Relay in the Google Admin Console and add the printer's IP address as an allowed sender. This works on almost all older devices as well.
  • Generate an app password and replace the old password on the printer.
I need to set up a shared mailbox for printers and scanners, what is the best approach?expand_more
Create a dedicated Google Workspace account (for example scanner@yourdomain.com) and use it as the sending account for all multifunctional devices. Benefits:
  • One central account that you can manage.
  • Devices do not depend on a personal account, which is useful when an employee leaves.
  • A separate app password or OAuth link per device, easy to revoke when lost or replaced.
Keep in mind that a shared account requires an active Google Workspace licence.
How many emails can I send per day via IMAP/SMTP?expand_more
  • smtp.gmail.com with an app password: 2,000 messages per day per user.
  • smtp-relay.gmail.com (SMTP Relay service): 10,000 recipients per day per user, up to 4.6 million per 24 hours at organisation level.
  • Bulk mailings do not belong in this category. Use a dedicated marketing tool such as Mailchimp, Brevo or MailerLite for that.
An IMAP session keeps disconnecting, what is going on?expand_more
Gmail limits IMAP sessions to a maximum of 24 hours. When using OAuth, a session is tied to the validity of the access token, usually 1 hour, after which the client must refresh automatically. Decent email clients handle this themselves. If you keep getting disconnects with a specific program, check whether it refreshes OAuth tokens correctly, or consider using an app password as a fallback.
How do I revoke an app password?expand_more
Go to myaccount.google.com/apppasswords, find the password in the list (this is why the recognisable name in step 3 matters) and click the bin icon or the 'Remove' option. The application or device can no longer connect from that moment. Generate a new password when you want to reconnect.