Setup Google Workspace Account for Sending SMTP GMail from a Service Account

To send email via SMTP from a Google service account in a Google Workspace domain, you must use OAuth2 with domain-wide delegation to impersonate a user. This allows your service account to act as a real user, meaning a non-GMail email address (e.g., joe@example.com) and send mail via smtp.gmail.com.

Here's a complete step-by-step guide:

Prerequisites

  • A Google Workspace (formerly G Suite) domain.
  • Access to the Google Cloud Console.
  • Admin access to the Google Workspace Admin Console.
  • Your app must use the XOAUTH2 mechanism to authenticate with smtp.gmail.com.

Step-by-Step Setup

1. Create a Service Account

In Google Cloud Console:

  • Go to IAM & Admin > Service Accounts.
  • Click Create Service Account.
  • Name it, and grant no roles for now.
  • Click Done.

2. Enable Domain-Wide Delegation

  • Edit your service account.
  • Go to Advanced Settings.
    Domain wide delegation
  • Note the Client ID that appears (you’ll use this later). In the above image the Client ID is 109122032928932715958
  • Go to: Google Workspace Admin Console
  • In the Admin Console, go to Security / Access and data control / API controls. Then click on Manage Domain Wide Delegation.
    domain wide delegation
  • Click Add new and add an entry for your google service account using the service account email address, Client ID, and the scope https://mail.google.com/. It should look like this when finished:
    domain wide delegation entry

3. Permission to Create a Service Account Key

  • You'll first need to make sure your account has permission to create a key. If not, you'll get this error:
    service account key creation is disabled
  • Open the project picker:
    project picker
  • Click on the 3 dots at the top right ("More Actions") and select IAM/Permissions: IAM/Permissions
  • Click on Grant Access:
    image
  • The principal is your email address (non-GMail address, such as info@chilkat.xyz), the role to assign is Organization Policy Administrator
    image
  • Next, go to Organization Policies:
    image
  • Type "key creation" in the Filter, and select Disable service account key creation:
    image
  • Edit the iam.disableServiceAccountKeyCreation - Managed (Legacy) policy.
    image
  • Choose Override parent's policy, and Not enforced
    image

4. Create a Service Account Key

Now that you have permission to create a service account key, go ahead and create a P12 key. A .p12 is a PKCS#12 file which is also called a PFX file (.pfx).
image

5. GMail SMTP Examples using a Google Service Account

The links below show how to obtain an access token with a Google service account's .p12 key and use it to send emails through the Gmail SMTP server.

Android™ Classic ASP AutoIt C Python C++ C# DataFlex Delphi Visual FoxPro Go Java Node.js Objective-C Perl PHP PowerBuilder PowerShell PureBasic Ruby Swift Tcl Visual Basic 6.0 VB.NET VBScript Xojo

The links below show how to obtain an access token with a Google service account's JSON key and use it to send emails through the Gmail SMTP server.

Android™ Classic ASP AutoIt C Python C++ C# DataFlex Delphi Visual FoxPro Go Java Node.js Objective-C Perl PHP PowerBuilder PowerShell PureBasic Ruby Swift Tcl Visual Basic 6.0 VB.NET VBScript Xojo