DEV Community: Abdulrasaq Agboluaje The latest articles on DEV Community by Abdulrasaq Agboluaje (@abdulrasaq_agboluaje_92c8). https://dev.to/abdulrasaq_agboluaje_92c8 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3983656%2F7a3cf39b-5f9b-4077-9a61-06d4b6dbd8ae.png DEV Community: Abdulrasaq Agboluaje https://dev.to/abdulrasaq_agboluaje_92c8 en Sending email as your users: why I ditched Gmail OAuth for App Passwords Abdulrasaq Agboluaje Sun, 14 Jun 2026 09:43:45 +0000 https://dev.to/abdulrasaq_agboluaje_92c8/sending-email-as-your-users-why-i-ditched-gmail-oauth-for-app-passwords-4dne https://dev.to/abdulrasaq_agboluaje_92c8/sending-email-as-your-users-why-i-ditched-gmail-oauth-for-app-passwords-4dne <p>I'm building <a href="https://recruiterreach.io" rel="noopener noreferrer">RecruiterReach</a>, a tool that helps job<br> seekers email the recruiter behind a job posting — sent from the user's <em>own</em><br> Gmail, so replies come back to them. That "send as the user" requirement turned<br> into the most annoying technical decision of the whole project. Here's what I<br> learned, in case it saves you the same detour.</p> <h2> The obvious path: Gmail API + OAuth </h2> <p>The "correct" way to send email on a user's behalf is the Gmail API with the<br> <code>gmail.send</code> OAuth scope. I built it, it worked, and then I hit the wall:</p> <p><strong><code>gmail.send</code> is a <em>restricted</em> scope.</strong> To use it in production beyond ~100<br> users, Google requires:</p> <ul> <li>App verification (fine)</li> <li>A demo video showing the consent screen + the scope in use (tedious)</li> <li>An annual <strong>third-party CASA security assessment</strong> — which costs <strong>$500+/year</strong> </li> </ul> <p>For a bootstrapped side project, a recurring $500 bill just to send email was a<br> non-starter. There's also a 7-day refresh-token expiry while your app is in<br> "testing", which means users would have to reconnect Gmail every week. Brutal UX.</p> <h2> The pivot: Gmail App Passwords over SMTP </h2> <p>Google App Passwords (with 2FA enabled) let you authenticate to Gmail's SMTP<br> server directly — <strong>no OAuth, no verification, no CASA</strong>. The user generates a<br> 16-character password, you send via <code>smtp.gmail.com</code>. Trade-off: a little more<br> onboarding friction (the user has to create the app password), but $0 cost and<br> no Google review.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">smtplib</span> <span class="kn">from</span> <span class="n">email.mime.text</span> <span class="kn">import</span> <span class="n">MIMEText</span> <span class="k">def</span> <span class="nf">send</span><span class="p">(</span><span class="n">sender</span><span class="p">,</span> <span class="n">app_password</span><span class="p">,</span> <span class="n">to</span><span class="p">,</span> <span class="n">subject</span><span class="p">,</span> <span class="n">body</span><span class="p">):</span> <span class="n">msg</span> <span class="o">=</span> <span class="nc">MIMEText</span><span class="p">(</span><span class="n">body</span><span class="p">)</span> <span class="n">msg</span><span class="p">[</span><span class="sh">"</span><span class="s">From</span><span class="sh">"</span><span class="p">],</span> <span class="n">msg</span><span class="p">[</span><span class="sh">"</span><span class="s">To</span><span class="sh">"</span><span class="p">],</span> <span class="n">msg</span><span class="p">[</span><span class="sh">"</span><span class="s">Subject</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="n">sender</span><span class="p">,</span> <span class="n">to</span><span class="p">,</span> <span class="n">subject</span> <span class="k">with</span> <span class="n">smtplib</span><span class="p">.</span><span class="nc">SMTP_SSL</span><span class="p">(</span><span class="sh">"</span><span class="s">smtp.gmail.com</span><span class="sh">"</span><span class="p">,</span> <span class="mi">465</span><span class="p">,</span> <span class="n">timeout</span><span class="o">=</span><span class="mi">30</span><span class="p">)</span> <span class="k">as</span> <span class="n">server</span><span class="p">:</span> <span class="n">server</span><span class="p">.</span><span class="nf">login</span><span class="p">(</span><span class="n">sender</span><span class="p">,</span> <span class="n">app_password</span><span class="p">)</span> <span class="n">server</span><span class="p">.</span><span class="nf">sendmail</span><span class="p">(</span><span class="n">sender</span><span class="p">,</span> <span class="p">[</span><span class="n">to</span><span class="p">],</span> <span class="n">msg</span><span class="p">.</span><span class="nf">as_string</span><span class="p">())</span> </code></pre> </div> <p>Store the app password <strong>encrypted at rest</strong> (I used Fernet), never plaintext.</p> <h2> The gotcha: <code>[Errno 101] Network is unreachable</code> on Render </h2> <p>First deploy to Render, every send failed with <code>[Errno 101] Network is<br> unreachable</code>. The cause: the container resolved <code>smtp.gmail.com</code> to an <strong>IPv6</strong><br> address, but the egress had no IPv6 route — and Python didn't fall back to IPv4.</p> <p>The fix: force IPv4 resolution for the SMTP connection while keeping the hostname<br> for TLS/SNI validation.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">socket</span><span class="p">,</span> <span class="n">smtplib</span> <span class="k">def</span> <span class="nf">gmail_smtp_login</span><span class="p">(</span><span class="n">email</span><span class="p">,</span> <span class="n">app_pw</span><span class="p">,</span> <span class="n">timeout</span><span class="o">=</span><span class="mi">20</span><span class="p">):</span> <span class="n">orig</span> <span class="o">=</span> <span class="n">socket</span><span class="p">.</span><span class="n">getaddrinfo</span> <span class="k">def</span> <span class="nf">ipv4_only</span><span class="p">(</span><span class="n">host</span><span class="p">,</span> <span class="n">port</span><span class="p">,</span> <span class="n">family</span><span class="o">=</span><span class="mi">0</span><span class="p">,</span> <span class="nb">type</span><span class="o">=</span><span class="mi">0</span><span class="p">,</span> <span class="n">proto</span><span class="o">=</span><span class="mi">0</span><span class="p">,</span> <span class="n">flags</span><span class="o">=</span><span class="mi">0</span><span class="p">):</span> <span class="k">return</span> <span class="nf">orig</span><span class="p">(</span><span class="n">host</span><span class="p">,</span> <span class="n">port</span><span class="p">,</span> <span class="n">socket</span><span class="p">.</span><span class="n">AF_INET</span><span class="p">,</span> <span class="nb">type</span><span class="p">,</span> <span class="n">proto</span><span class="p">,</span> <span class="n">flags</span><span class="p">)</span> <span class="n">socket</span><span class="p">.</span><span class="n">getaddrinfo</span> <span class="o">=</span> <span class="n">ipv4_only</span> <span class="k">try</span><span class="p">:</span> <span class="n">s</span> <span class="o">=</span> <span class="n">smtplib</span><span class="p">.</span><span class="nc">SMTP_SSL</span><span class="p">(</span><span class="sh">"</span><span class="s">smtp.gmail.com</span><span class="sh">"</span><span class="p">,</span> <span class="mi">465</span><span class="p">,</span> <span class="n">timeout</span><span class="o">=</span><span class="n">timeout</span><span class="p">)</span> <span class="n">s</span><span class="p">.</span><span class="nf">login</span><span class="p">(</span><span class="n">email</span><span class="p">,</span> <span class="n">app_pw</span><span class="p">)</span> <span class="k">return</span> <span class="n">s</span> <span class="k">finally</span><span class="p">:</span> <span class="n">socket</span><span class="p">.</span><span class="n">getaddrinfo</span> <span class="o">=</span> <span class="n">orig</span> </code></pre> </div> <blockquote> <p>Note: free Render instances also block outbound SMTP ports entirely — you need<br> a paid instance for SMTP to work at all. That part is <em>not</em> fixable in code.</p> </blockquote> <h2> Would I do it again? </h2> <p>For a funded company that needs frictionless onboarding at scale, OAuth +<br> verification is worth it. For a bootstrapper who needs to ship without a $500/yr<br> line item, App Passwords are a totally reasonable trade — you swap a bit of<br> onboarding friction for zero cost and zero Google review.</p> <p>If you're curious what I'm building it for, it's <a href="https://recruiterreach.io" rel="noopener noreferrer">RecruiterReach</a><br> — finds the recruiter behind a job posting and drafts the outreach email.</p> <p>Happy to answer questions about the Gmail/SMTP side in the comments. 👋</p> productivity programming startup