Gomail Fork

This is a fork of https://github.com/go-gomail/gomail. The original project is no longer maintained. I maintain this fork for my mailsend-go program.

Changes

• Added go module support

• SMTP XOAUTH2 support is added (Mar-26-2025)

• STARTTLS downgrade protection added (May-03-2026)

• https://muquit.com/

Usage

To use this fork in your code:

go get github.com/muquit/gomail@latest
go mod tidy

See hello_gomail for a minimal working example.

STARTTLS downgrade protection

A network attacker (MITM on Wi-Fi, rogue DNS, corporate proxy) can strip the 250-STARTTLS line from a server's EHLO response. The client never sees the advertisement, skips TLS, and sends credentials in plaintext — with no error. This is known as a STARTTLS stripping attack.

The new RequireSTARTTLS field on Dialer guards against this. When set to true, Dial() returns an error if the server does not advertise STARTTLS instead of silently falling back to plaintext.

d := gomail.NewDialer("smtp.example.com", 587, "user", "password")
d.RequireSTARTTLS = true   // reject connection if STARTTLS is not advertised

if err := d.DialAndSend(m); err != nil {
    log.Fatal(err)
}

RequireSTARTTLS defaults to false, so all existing code is unaffected. It has no effect when SSL is true (port 465), since that path never uses STARTTLS.

Examples

• See OAuth2 test example for SMTP XOAUTH2 usage
• See MailHog STARTTLS test for a live integration test of STARTTLS downgrade protection
• See mailsend-go for real-world implementation

---

Original README content is below

Introduction

Gomail is a simple and efficient package to send emails. It is well tested and documented.

Gomail can only send emails using an SMTP server. But the API is flexible and it is easy to implement other methods for sending emails using a local Postfix, an API, etc.

It is versioned using gopkg.in so I promise there will never be backward incompatible changes within each version.

It requires Go 1.2 or newer. With Go 1.5, no external dependencies are used.

Features

Gomail supports:

• Attachments
• Embedded images
• HTML and text templates
• Automatic encoding of special characters
• SSL and TLS
• Sending multiple emails with the same SMTP connection

Documentation

https://godoc.org/gopkg.in/gomail.v2

Download

go get gopkg.in/gomail.v2

Examples

See the examples in the documentation.

FAQ

x509: certificate signed by unknown authority

If you get this error it means the certificate used by the SMTP server is not considered valid by the client running Gomail. As a quick workaround you can bypass the verification of the server's certificate chain and host name by using SetTLSConfig:

package main

import (
	"crypto/tls"

	"gopkg.in/gomail.v2"
)

func main() {
	d := gomail.NewDialer("smtp.example.com", 587, "user", "123456")
	d.TLSConfig = &tls.Config{InsecureSkipVerify: true}

    // Send emails using d.
}

Note, however, that this is insecure and should not be used in production.

Contribute

Contributions are more than welcome! See CONTRIBUTING.md for more info.

Change log

See CHANGELOG.md.

License

MIT

Contact

You can ask questions on the Gomail thread in the Go mailing-list.