How to use a Gmail/Google Workspace account with K-9 Mail?

TL;DR: K-9 Mail can currently only access Gmail/Google Workspace accounts if you enable 2-step verification and create an app-specific password.


The problem

Since the end of May 2022 Google no longer allows you to use your Google password when accessing your email via IMAP, POP3, or SMTP (this is what K-9 Mail uses to retrieve/send emails). That’s a good thing, because your Google password allows access to a whole range of Google services. There’s no need for an email client to potentially have access to all of these services.

The current solution

The easy way to support existing email clients is for the email provider to allow their users to create app-specific passwords. That way the user can grant email clients access to only email, but no other services. The app-specific password can also easily be revoked without having to change the main password, e.g. if your device using the app-specific password was lost/stolen.

Google supports app-specific passwords, but only if 2-step verification is enabled for your account.
Currently this is the only way to access your Gmail/Google Workspace account using K-9 Mail.

The “proper” solution

What Google wants email clients to use, is OAuth. This involves the app opening the browser to allow the user to sign in to the provider, then granting the app access to the service it requested access to (in our case email). Behind the scenes the browser will return an access code to the app that it can then use to retrieve/send email.
Conceptually you can think of this as a streamlined way for the user to generate an app-specific password and passing it to the app. Only that the user never gets to see the password and doesn’t have to manually copy it from a website into the app.

The “problem” with this approach is that developers have to register their apps with the service before they are allowed to use this method. In the case of Google, not only is a registration required, they also verify that the app is following all their guidelines before an app is allowed to use this method.

We’re currently working on adding support for this mechanism, or rather we have added support for it and now will have to keep making changes until Google is satisfied. We’ll release K-9 Mail 6.200 once that work is complete.

For updates, check out The plan for K-9 Mail 6.200.

See also: How to set up with a Gmail account

9 Likes

Thanks a lot for your post!

I didn’t understand much. I have been using k9 for more than ten years and this is such a blow I am still shocked. As for the new methods to have access, it is far too complicate and risky. In fact I have read about people that while traveling abroad have been unable to access or use the two way identification and lost their tickets. I am very sadly saying that I don’t try what I don’t understand, and I don’t understand your post. Can you rewrite it in an edible way for laycans? That would be much appreciated.

1 Like

Just use the guide by Google on their site, there’s nothing difficult about it really.

2 Likes

Thanks, but once I implement this procedure will k9 mail work again with gmail?
EDIT: it seems to me that I should activate google two step verification and this is the key point: I do not want to add this layer cause the risks to be locked out of the account are too high.

Thanks a lot for the information. I am getting all the “failed to connect” warnings regularly on my Android phone right now. Nearly every hour I receive the warning triangle signs. It seems each time it tries to connect I get a warning.

There is no problem with the Gmail app by Google itself. It is working properly, but I like K-9 and I hope you can sort it out soon.

1 Like

In that case you’ll have to wait for Google to approve the new K-9 Mail version. As far as I can understand, everything is implemented right now but Google is the party delaying it. See The plan for K-9 Mail 6.200 - #19 by cketti for the latest progress update.

Setting an app password should work and fix that. If you don’t want to use an app password (because it requires 2FA on your account), you’ll have to wait for an update. See the link above.

1 Like

I think that the chances of getting locked out of your google account because of 2fa are fairly low. I believe that there are at least three, maybe more, ways to meet the 2fa challenge (or do recovery). I’ve gotten locked out of my bank account because of their 2fa, but never google.

If you have enabled app passwords then you can disable 2FA and still use the app password.

What is the point of writing about it if you don’t give a clear instruction how to fix this problem even if temporary?

Which comment/post are you referring to? Who is “you”? If it is @dispane , his comment is referring to the top of the OP and makes sense to those who are worried that using 2FA increases the risk of getting locked out if their second factor (often a text message to a mobile phone) does not work for some reason, such as when abroad.

Note that this is not an argument for or against 2FA. It is a fact for now that you (at least temporarily) have to enable 2FA to use K9 with Gmail.

1 Like

That doesn’t sound right. What prevents an “unregistered” email client from passing itself off as an email client that is “registered”? Google’s servers can’t tell what software someone is running on a connecting client computer.

Are K-9 developers aware that once they have made all the software changes Google requires, Google will then demand a whopping one-off payment from K-9?

I understand that Pegasus Mail developers did all the necessary tweaking and then discovered they must pay the huge fee, so they had to announce that retrieving gmail emails will not be possible via Pegasus Mail, which is sad.

In some circumstances Google requires a costly security assessment. But this doesn’t apply to apps like K-9 Mail that handle all the data on the device.

From OAuth API verification FAQs - Google Cloud Platform Console Help (emphasis mine):

Every app that requests access to restricted scope Google user’s data and has the ability to access data from or through a third party server is required to go through a security assessment from Google empanelled security assessors.

K-9 Mail 6.200 is available now and includes OAuth 2.0 support for Google accounts. See New release: K-9 Mail 6.200

1 Like

Thanks. That’s good news. I have updated to 6.2 recently but I notice that K-9 still can’t retrieve emails from my Gmail accounts. Is there something new that I have to do?

1 Like

I came here for the same problem. The key for me was to manually enter imap.gmail.com and smtp.gmail.com for the Oauth2.0 mechanism to work.

1 Like

@cketti, thank you very much for posting the link How do I update an existing Gmail account to use OAuth 2.0?

After months of having to check my Gmail accounts on my computer only, I have finally found the time to implement the directions at the above link for getting my Android devices back into order. It was easy to do so, and now all three of my Android devices are easily retrieving and send email from my Gmail email accounts.

To any other K-9 user out there who has been frustrated by K-9’s seeming inability to retrieve Gmail emails, please know that following the manual directions at the above link is easily done, and that within minutes K-9 can be once again retrieving emails from all over the place (for me K-9 is again retrieving emails for me from Yahoo, Hotmail, and Gmail).

I’m delighted that K-9 is once again the King of Android email apps! :crown: :crown: :crown: