Lack of interest Using API keys for SMTP authentication instead of basic (username + password) credentials

This suggestion has been closed automatically because it did not receive enough votes over an extended period of time. If you wish to see this, please search for an open suggestion and, if you don't find any, post a new one.


Well-known member
I was wondering, and hoping, that a feature could be introduced to use API keys for authenticating email requests from XenForo to SMTP hosts, rather than using a username and password to the account with the SMTP host. Reason being that the latter provides full access to the user account, should it be mistakenly put directly in code, or committed somewhere like GitHub.

I know that Amazon Web Services already uses API keys as SMTP credentials. Yesterday, I received an email from SendGrid informing of their move from username/password authentication to API authentication from April 17th, 2019. It would be great if XenForo were to consider this, I think.

I'm copying the email below:

Hi Saeed,
We’re emailing to inform you of an upcoming security improvement related to the authentication process for your account and the action you need to take to ensure uninterrupted service.

Who is impacted?
Only customers who have two-factor authentication (2FA) enabled and use basic authentication will be impacted by this change. Our records indicate that your account falls within this category of impacted customers.

What are we addressing?
Today, customers with 2FA enabled can utilize basic authentication over the SendGrid v2 API, v3 API, or SMTP. 2FA increases account security by requiring authentication beyond a simple username and password; SendGrid’s 2FA is set up via SMS or through the Authy app. Basic authentication (authenticating with a username and password alone) is a less secure method of authenticating APIs. We have identified this as a misalignment between customers’ expectations of security with 2FA and the authentication options permitted on their SendGrid accounts.

What is changing?
Security is extremely important to us. In order to uphold your account security, we will no longer accept basic authentication through the API or SMTP for users who have 2FA enabled. Starting April 17th, 2019, calls to SendGrid’s v2 API, v3 API, or SMTP using basic authentication for users with 2FA enabled will be rejected with error: invalid authentication method - declined because you are using basic authentication with 2FA enabled. to fix, update to using an API key or disable 2FA and switch to using IP Access Management for security.

What action is required?
In order to avoid rejection errors from this change we recommend you modify your API and SMTP calls using basic authentication in one of these ways:
Please read this blog post for more information on what you can do to keep your SendGrid account secure. Feel free to reach out to our Support team if you have any additional questions.

Happy Sending,
The SendGrid Team
Upvote 0
This suggestion has been closed. Votes are no longer accepted.

DragonByte Tech

Well-known member
Any SMTP service provider worth your money would not implement 2FA without also implementing an “application password” feature.

If you’re unfamiliar with application passwords, they are essentially passwords that can’t be used to login via the website (think GMail), but can be used to login via another app (such as SMTP config in XenForo).

If SendGrid is really going to enforce 2FA without considering application password, or they are going to force third parties to use their proprietary API access system, then SendGrid will no longer be suitable for XF forums.

What you’re asking in the title is not really feasible, as XF uses standard SMTP authentication protocols which cannot simply switch to using SendGrid’s proprietary API - SG’s API is not a part of the SMTP standard.

If I were you, I would strongly consider either looking for alternatives to SendGrid, or I would look at obtaining a third party addon that replaces the built in mailing system with SendGrid’s API.

Hopefully this made some amount of sense :)


Well-known member
It actually makes perfect sense. :)

I didn't realize that SendGrid's API would not be part of the SMTP standard. In that case, it doesn't make sense for applications to adopt a new standard, unless it becomes fairly ubiquitous.

Any suggestions for an alternative SMTP host?

DragonByte Tech

Well-known member
We use Amazon SES, but I don't know whether SendGrid has advanced features like sending statistics that are not well presented on Amazon. Those stats aren't relevant for us.