v0.7.2: Formatted mail address handling regression fix

Welcome to go-mail v0.7.2!

Unfortunately with the v0.7.1 vulnerability fix, a regression was introduced when formatted mail address with full name ("Toni Tester" <[email protected]> were used, resulting in only the mail address (<[email protected]>) being handed over to the SMTP client. This bug was spotted and reported by @NCRonB in #497 - thank you very much for the report.

Sorry for any incovenience this might have caused!

What's Changed

• Refactored address handling for improved consistency and formatting by @wneessen in #498

Full Changelog: v0.7.1...v0.7.2

v0.7.1: Vulnerability fix in mail address handling

Important

This release fixes a vulnerability. All users are encouraged to update to this release at their earliest convenience.

Welcome to go-mail v0.7.1!

This is a security release, which addresses a bug that causes insufficient address encoding when passing mail addresses to the SMTP client, which could lead to possible wrong address routing or even to ESMTP parameter smuggling.

The details of the bug are outlined in #495 and in the go-mail security advisory: GHSA-wpwj-69cm-q9c5
Github assigned the following CVE for this vulnerability: CVE-2025-59937

The vulnerability has been reported by xclow3n. Thank you very much for the detailed report and the thorough testing!

What's Changed

• Fix vulnerability in mail address passing to the smtp client by @wneessen in #496

Full Changelog: v0.7.0...v0.7.1

v0.7.0: Compatiblity changes, EML parser fixes, mail.Address support and more

Welcome to go-mail v0.7.0! 🎉

This release brings important improvements, new features, and fixes to make working with go-mail more reliable and powerful.

Warning

BREAKING CHANGES! This release introduces some changes that might potentially break your code base, so please review carefully before upgrading.

Change in Supported Go Versions

With this release, go-mail will no longer commit to supporting the last four Go versions. Instead, we will follow the official Go release policy and only support versions that are actively maintained by the Go team.

Why this change?

• Security and Dependencies
  Even though go-mail currently has very few dependencies, keeping support for outdated Go versions would prevent us from safely updating them in the future. This creates the risk of leaving users exposed to unpatched security vulnerabilities and critical issues.

• Maintenance Costs
  Supporting unsupported Go versions requires extra workarounds, conditionals, and testing overhead. Every additional version increases maintenance complexity and takes valuable time away from adding new features, improving the code base, and fixing bugs.

• Alignment with the Go Ecosystem
  The Go team provides two releases per year, and each version receives about one year of official support. By aligning with this policy, go-mail ensures that users always benefit from current language features and security patches.

What this means for you

If you are already on a Go version that is actively maintained (at this point: 1.24 or 1.25), nothing changes. If you are on an older, unsupported version, you will not be able to run go-mail v0.7.0 or higher and we strongly encourage upgrading. This will not only allow you to continue using go-mail but will also ensure you benefit from the security and performance improvements provided by the Go team.

Change Reply-To header from generic header type to address header type

|Breaking change| With PR #441 we changed Reply-To header to an AddrHeader type. Since Reply-To is actually an address header which formats the mail address accordingly, and not a generic header, this could lead to potential double encoding if the address and name contain special characters. This change is potentially a breaking change, since we are changing a public type, but as long as the user makes use of msg.ReplyTo() or msg.ReplyToFormat() this should not cause any problems.

Fix "short writes" in Base64LineBreaker and make the type private

|Breaking change| With PRs #445, #448 and #443 we address an issue with the Base64LineBreaker.Write implementation which reports an incorrect count of bytes written ("short writes). While those short writes aren't noticed in practice, since we use base64.Encoder.Encode.Write under the hood, which ignores short writes, the issue was still fixed to make it future-proof against potential changes in the base64 package. This issue was reported and fixed by @dolmen. Thank you very much for your contribution! It was also pointed out, that our Base64LineBreaker was a public type without exposing any public methods, making it unusuable for any 3rd party library. Therefore the Base64LineBreaker type was made private (which in theory is a breaking change, but in practice should not affect any user, given that no public methods were exposed)

EML parsing

The EML parsing was made more robust by introducing several fixes/improvements:

• Fix nil map assignment in EML parser: PR #447 fixes a bug in the EML parser which was caused by a non-initialized map. Parsing an email could cause a panic: assignment to entry in nil map. This issue was reported by numerous users (see: #446, #462, #468, #482 and #490). Thanks to everybody who reported this issue!
• Fix multipart header parsing: PR #458 improves the handling of multipart headers by addressing edge cases where multiple parameters are present.
• Use the original EML boundary instead of generating a new one : PR #491 fixes an issue in which parsed multipart messages would hold two boundary headers, which would render the mail broken. This issue was reported and fixed by @termermc. Thanks for your contribution!

Support for mail.Address types

PR #472 adds support for directly providing *mail.Address instances by providing a SetAddrHeaderFromMailAddress method. It also provides methods for directly providing *mail.Address instances for all the various address types (From, To, CC, BCC, etc.). Additionally it adds a IsAddrHeader method, which checks if the provided string is an address header.

Error handler registry

PR #492 introduces ResponseErrorHandler and ErrorHandlerRegistry - an interface that defines a method for handling SMTP responses that do not comply with expected formats or behaviors and would cause errors during the SMTP communication. It is useful for implementing retry logic, logging, provider-specific error handling. It injects itself into the smtp.Client and is called whenever a server response does fail. This feature addresses #464 and #463. In our Wiki we will collect a currated list of known providers with issues and corresponding code examples on how to implement the error handler.

What's Changed

• BREAKING CHANGE: Refactor Reply-To header handling. by @wneessen in #441
• POTENTIAL BREAKING: More Base64LineBreaker fuzzing by @dolmen in #443
• Fix assignment to nil map in EML parser by @wneessen in #447
• Make Base64LineBreaker private by @wneessen in #448
• Fix multipart header parsing and add test for attachments with metadata by @wneessen in #458
• Fix "short writes" in Base64LineBreaker.Write by @dolmen in #445
• Update TLS test certificates to use 2048-bit RSA keys by @wneessen in #460
• Improve PKCS7 test suite by @wneessen in #423
• Add support for mail.Address instances by @wneessen in #472
• Add support for server responses by @wneessen in #475
• Update README compatibility policy for Go versions by @wneessen in #484
• Refactor codebase to align with updated Go version support by @wneessen in #486
• When decoding a multipart message from EML, use the original EML boundary instead of generating a new one by @termermc in #491
• smtp: Implement ErrorHandlerRegistry for handling errors in SMTP responses by @wneessen in #492
• v0.7.0 release preparation by @wneessen in #493
• Removed internal PBKDF2 implementation and replaced with Go's stdlib by @wneessen in #494

CI/CD maintenance changes

• Remove SonarQube integration from CI workflow. by @wneessen in #442
• Migrate golangci-lint to v2 by @wneessen in #461
• Update CI configuration to support Go 1.25 and disable older versions by @wneessen in #485
• Bump golang.org/x/text from 0.22.0 to 0.28.0 by @dependabot[bot] in #481
• Enable macOS builds in CI test matrix by @wneessen in #487
• Bump golang.org/x/text from 0.28.0 to 0.29.0 by @dependabot[bot] in #488

New Contributors

• @dolmen made their first contribution in #443
• @termermc made their first contribution in #491

Full Changelog: v0.6.2...v0.7.0

v0.6.2: Bugfix release

Welcome to go-mail v0.6.2! This release fixes some bugs and makes go-mail ready for Go 1.24.

Fix regression of custom SMTP authentication handling

PR #429 fixes a regression in the handling of custom smtp.Auth methods that was introduced with the v0.6.0 release. Basically, if a custom SMTP auth method was provided, it was simply ignored. Thanks to @james-d-elliott of the Authelia project for reporting this.

Fix possible nil pointer derefernece in SendWithSMTPClient

With commit 4641da4 we fixed a possible nil pointer dereference in the SendWithSMTPClient method. This would happen if a nil message would be provided to the method. This bug was reported using Github's private vulnerability reporting feature by @younes199511. Thanks for the report!

Header count logic improvements

PR #421 fixed an issue in the header count logic that is used for S/MIME signing. If a header was broken into mutliple lines due to its lenght, the count logic was giving false results, resulting into false content for the S/MIME signature. Thanks to @theexiile1305 for reporting the issue and helping to debug the issue!

Go 1.24 readiness

The PRs #431 and #433 make go-mail and its CI ready for Go 1.24.

What's Changed

• Refactor header count logic for accurate line tracking by @wneessen in #421
• chore: improve tests for multipart messages by @wneessen in #422
• Add tests for handling nil messages in email client by @wneessen in #427
• Fix regression of custom smtp.Auth not working by @wneessen in #429
• Skip tests for broken rand.Reader on Go 1.24+. by @wneessen in #433
• chore: update CI to Go 1.24 by @wneessen in #431
• Update version to 0.6.2 and fix typo in documentation by @wneessen in #434

CI/CD maintenance changes

• Bump golang.org/x/text from 0.21.0 to 0.22.0 by @dependabot in #425
• Bump golang.org/x/crypto from 0.32.0 to 0.33.0 by @dependabot in #426

Full Changelog: v0.6.1...v0.6.2

v0.6.1: Fix for multipart message rendering

Welcome to go-mail v0.6.1! This release is a bug-fix release that addresses a regression introduced in v0.6.0.

Important

If you are working with multipart messages and are currently using v0.6.0, it is advised to upgrade to v0.6.1 to avoid rendering issues.

Fix missing new-lines in multipart rendering

The v0.6.0 release introduced a regression in the multipart message generation (See #412). The boundary lines were not correctly seperated with a new line. This bug was introduced while working on the S/MIME handling. The issue has been fixed in #413. I am sorry for any inconveniences this might have caused. Thanks to @Thomas2500 for reporting the issue!

Multipart boundary handling refactoring

While working on #412, I noticed a general issue with the boundary handling when fixed boundaries are set for the message. This bug was present already since the introduction of Msg.WithBoundary/Msg.SetBoundary, but was only brought to light with the new S/MIME feature introduced in v0.6.0. Since the S/MIME signing needs to set a fixed boundary, it was using the Msg.SetBoundary feature. If more than one multipart parts were used with a fixed boundary, this would render the mail broken (since it was using the same boundary for multiple parts). This has been fixed in #414 and #416. The GoDoc for Msg.WithBoundary/Msg.SetBoundary has also been updated with a warning that using the feature with more than one parts will break the message rendering.

Removal of XOAUTH2 from Auto-Discovery feature

Since XOAUTH2 works with Bearer tokens instead of passwords but the Auto-Discovery SMTP auth feature makes use of a username/password pair having XOAUTH2 in the prefered mechanisms list could cause authentication failures. Therefore the XOAUTH2 mechanism has been removed from the feature completely. Thanks to @james-d-elliott for pointing this out!

What's Changed

• Fix regression in multipart boundary writing by @wneessen in #413
• Refactor multipart boundary handling in message rendering by @wneessen in #416
• Remove XOAUTH2 from Auto-Discovery SMTP auth feature by @wneessen in #417
• chore: prepare 061 release by @wneessen in #418

Full Changelog: v0.6.0...v0.6.1

v0.6.0: S/MIME, Auto-discovery, Quicksend and more

Welcome to go-mail v0.6.0! This release brings some cool new features. We hope you enjoy!

S/MIME signing support

The PRs #298 and #406 add S/MIME signing support to go-mail. We support RSA and ECDSA keys for the time being. Two new methods have been added to the Msg type: Msg.SignWithKeypair which allows message signing by providing seperate crypto.PrivateKey and x509.Certificate parts and Msg.SignWithTLSCertificate which allows to sign messages by providing a corresponding tls.Certificate. Please keep in mind that this is a completely new feature and while we did thorough testing there might be some edge cases that haven't been checked so far. Feedback for this feature is welcome. If you run into issues, please open a Github issue accordingly. This feature has been contributed by @theexiile1305 and has been extended by myself. Big thanks a lot to @theexiile1305 for their contribution!

SMTP authentication auto-discovery

PRs #373 and #374 implement a new SMTP auth mechanism to automatically discover and select the strongest supported SMTP authentication type. This feature simplifies the authentication process for users and enhances security by prioritizing stronger mechanisms based on server capabilities.

Quicksend

PR #378 introduces the QuickSend function for sending emails quickly with TLS and optional SMTP authentication. This feature is similar to the SendMail method of the net/smtp package, but makes use of all go-mail Client and Msg features, including error checking and validations. In essence this new method will create a new client that connects to the server at addr, switches to TLS if possible, authenticates with the optional AuthData provided in auth and create a new simple Msg with the provided subject string and message bytes as body. The message will be sent using from as sender address and will be delivered to every address in rcpts. QuickSend will always send as text/plain ContentType. For the SMTP authentication, if auth is not nil and AuthData.Auth is set to true, it will try to autodiscover the best SMTP authentication mechanism supported by the server. If auth is set to true but autodiscover is not able to find a suitable authentication mechanism or if the authentication fails, the mail delivery will fail completely.

Support for io/fs.FS attachments/embeds

The PR #376 adds support for generic file systems that satisfy the fs.FS interface. Since embed.FS is such a file system, the embed.FS has been refactored to make use of the more generic fs.FS code. It also introduces two new methods Msg.AttachFromIOFS and Msg.EmbedFromIOFS.

More robust concurrency-/thread-safety

Goroutines are easy, but concurrency is hard, and since we added concurrency just with the latest release, some issues were to be expected. With #386 a concurrency issues was fixed when a user would use DialAndSend or DialAndSendWithContext in concurrent goroutines instead of using a single Client and then just using Send within the goroutines. With PR #386 the overall concurrency-safety is made more reliable.

Improved filename sanitization in MIME headers

PR #388 introduced proper filename sanitization for attachments and embedded files. It will repace invalid characters with underscore _ characters before encoding them. This prevents control (like new lines) and special characters like backslash or quotes from causing issues in MIME headers and file systems. As a side effect this prevents newline characters from introducing a potential vulnerability by using filenames with newlines characters in it. We also make sure that the Content-Description header is properly encoded now.

Unix domain socket support

PR #408 adds support for connecting to unix domain sockets instead of a TCP connection. This can be easily established by prefixing the hostname with unix://. This feature has been requested by the Forgejo project. Thanks to them for their input on this.

More test overhauling

Following the test suite overhaul of the 0.5.2 release, with #361 the test suite for the go-mail SMTP client has also been completely rewritten for better coverage as well.

What's Changed

• SMTP client tests overhaul by @wneessen in #361
• Fix spelling in some tests by @wneessen in #362
• Remove CC0-1.0 license by @wneessen in #363
• Expose error code in SendError by @wneessen in #368
• Enable gosec linter and add exclusion rules by @wneessen in #370
• Add SMTP authentication auto-discovery by @wneessen in #373
• Add support for SMTP auto-discovery authentication by @wneessen in #374
• Support attachments/embeds via io/fs.FS by @wneessen in #376
• Add QuickSend feature by @wneessen in #378
• Add mutex for concurrent send protection by @wneessen in #381
• Fix concurrency issue in DialAndSendWithContext by @wneessen in #386
• Remove unused opts parameter docstring by @wneessen in #387
• Improve filename sanitization in MIME headers by @wneessen in #388
• Support of S/MIME Signing by @theexiile1305 in #298
• Refactor and extend S/MIME signing support by @wneessen in #406
• Unix domain socket support by @wneessen in #408
• Prepare 0.6.0 release by @wneessen in #409

CI/CD maintenance changes

• Bump golang.org/x/crypto from 0.28.0 to 0.29.0 by @dependabot in #358
• Bump sonarsource/sonarqube-scan-action from 3.0.0 to 3.1.0 by @dependabot in #359
• Bump github/codeql-action from 3.27.0 to 3.27.1 by @dependabot in #360
• Bump github/codeql-action from 3.27.1 to 3.27.2 by @dependabot in #364
• Bump github/codeql-action from 3.27.2 to 3.27.3 by @dependabot in #367
• Bump sonarsource/sonarqube-scan-action from 3.1.0 to 4.0.0 by @dependabot in #366
• Bump fsfe/reuse-action from 4.0.0 to 5.0.0 by @dependabot in #369
• Bump github/codeql-action from 3.27.3 to 3.27.4 by @dependabot in #372
• Bump codecov/codecov-action from 4.6.0 to 5.0.1 by @dependabot in #371
• Bump codecov/codecov-action from 5.0.1 to 5.0.2 by @dependabot in #375
• Bump step-security/harden-runner from 2.10.1 to 2.10.2 by @dependabot in #377
• Bump codecov/codecov-action from 5.0.2 to 5.0.4 by @dependabot in #379
• Bump actions/dependency-review-action from 4.4.0 to 4.5.0 by @dependabot in #382
• Bump codecov/codecov-action from 5.0.4 to 5.0.7 by @dependabot in #383
• Bump github/codeql-action from 3.27.4 to 3.27.5 by @dependabot in #384
• [StepSecurity] ci: Harden GitHub Actions by @step-security-bot in #391
• Bump sonarsource/sonarqube-scan-action from 4.0.0 to 4.1.0 by @dependabot in #393
• Bump github/codeql-action from 3.27.5 to 3.27.6 by @dependabot in #394
• Bump golang.org/x/text from 0.20.0 to 0.21.0 by @dependabot in #396
• Bump golang.org/x/crypto from 0.29.0 to 0.30.0 by @dependabot in #395
• Bump codecov/codecov-action from 5.0.7 to 5.1.1 by @dependabot in #397
• Bump github/codeql-action from 3.27.6 to 3.27.7 by @dependabot in #399
• Bump actions/setup-go from 5.1.0 to 5.2.0 by @dependabot in #398
• Bump golang.org/x/crypto from 0.30.0 to 0.31.0 by @dependabot in #400
• Bump github/codeql-action from 3.27.7 to 3.27.9 by @dependabot in #401
• Bump sonarsource/sonarqube-scan-action from 4.1.0 to 4.2.1 by @dependabot in #402
• Bump actions/upload-artifact from 4.4.3 to 4.5.0 by @dependabot in #403
• Bump golang.org/x/crypto from 0.31.0 to 0.32.0 by @dependabot in #405

New Contributors

• @theexiile1305 made their first contribution in #298

Full Changelog: v0.5.2...v0.6.0

v0.5.2: Better tests, minor bug fixes, unencrypted auth methods and fig-support.

Welcome to go-mail v0.5.2! This release is mainly a maintenance release.

fig.StringUnmarshaler support for SMTPAuthType

With #341 we introduce support for the fig.StringUnmarshaler interface for SMTPAuthType. This allows users of fig to reference the mail.SMTPAuthType directly in their fig config.

Allow unencrypted PLAIN and LOGIN smtp authentication

The PR #344 introduced two new SMTPAuthType types: SMTPAuthPlainNoEnc and SMTPAuthLoginNoEnc. Both allow PLAIN and LOGIN authentication over unencrypted connections. This can be useful if the connection has already been secured in a different way (e. g. a SSH tunnel).

Overhaul of the test suite and GH workflow

The PRs #348, #349 and #352 are a full overhaul of the go-mail test suite. Almost all tests have been rewritten to better coverage, visibility and maintainability. We've now covered +92% of all code. The Github workflow was also improved and is now less error prone.

During the tests rewrite a couple of minor bugs were found and fixed on the way:

• Add error check for nil SMTP authentication method 1c8b290
• Add error handling for nil DialContextFunc 35f92f2
• Set fallbackPort to 0 in SetTLSPortPolicy 3efd2b5
• Move delivery status update after writer close check 42c6379
• Remove redundant connection check in auth function 5e3ebcc
• Remove redundant connection check in send function 45ebcb9
• Add nil check for smtpClient in checkConn function 4a8ac76
• Refactor error handling in eml parser 769783f
• Initialize address header map and enforce single 'From' address 08fe44c
• Fix ToFromString to handle and trim empty addresses c99b6c3
• Refine CcFromString to handle spaces and empty addresses 855d7f0
• Improve BccFromString to handle spaces and empty addresses f079ea0
• Refactor SetDate to use SetDateWithValue ae15a12
• Initialize genHeader in RequestMDNTo method 4f97cd8
• Refactor RequestMDNAddTo 4fe9022
• Follow upstream for HELO during Quit bug 8353b4b - The reported upstream bug was caused by this PR. See: golang/go#70011

What's Changed

• Fix spelling errors by @wneessen in #340
• Add fig.StringUnmarshaler support for SMTPAuthType by @wneessen in #341
• Allow unencrypted PLAIN and LOGIN smtp authentication by @wneessen in #344
• Overhaul test suite and GH CI workflow by @wneessen in #348
• Add base-ref and head-ref to Dependency Review action by @wneessen in #349
• More test improvements by @wneessen in #352
• Fix(close): Access to nil variable causes panic by @sonalys in #353
• Add test for closing a nil smtpclient by @wneessen in #354

CI/CD maintenance changes

• Bump actions/dependency-review-action from 4.3.4 to 4.3.5 by @dependabot in #343
• Bump github/codeql-action from 3.26.13 to 3.27.0 by @dependabot in #345
• Bump actions/setup-go from 5.0.2 to 5.1.0 by @dependabot in #346
• Bump sonarsource/sonarqube-quality-gate-action from dc2f7b0dd95544cd550de3028f89193576e958b9 to 8406f4f1edaffef38e9fb9c53eb292fc1d7684fa by @dependabot in #351
• Bump actions/dependency-review-action from 4.3.5 to 4.4.0 by @dependabot in #350

New Contributors

• @sonalys made their first contribution in #353. Thank you very much for the bugfix!

Full Changelog: v0.5.1...v0.5.2

v0.5.1: SMTP auth fixes and logging optimizations

Welcome to go-mail v0.5.1! This release brings a bug fix and some optimizations around logging.

Regression fix for SMTP authentication

With v0.5.0 we unintentionally introduced a regression for the SMTP authentication part of go-mail - at least for some edge cases. As reported in #332, in case the user did not provide an explicit SMTP authentication option, the Client would fail with an "server does not support SMTP AUTH" error. The quick work-around was setting SMTP Auth to "Custom" as pointed out in #328. While it improved the security of the package, as it would not skip authentication if none was given, it was breaking in some edge cases and the "Custom" auth type was not meant to be the default.

We now changed the SMTPAuthNoAuth from an empty string to "NOAUTH". This value is set as default for the Client in NewClient. This way we always have a fixed assignment and an empty string would not skip authentication. The auth() method has been updated to either assign the smtp.Auth function if SMTPAuthType is not set to "NOAUTH" or skip the part there is already an auth function set (this would only happen when SetSMTPAuthCustom or WithSMTPAuthCustom were used).

If SMTPAuthType is set to an empty string, the authentication assignment would fail as it is a not supported mechanism, therefore making sure that the client wouldn't accidentaly skip the authentication at all.

We are sorry if this broke your code with the v0.5.0 release. Thanks to @james-d-elliott and @ugexe for reporting this and for testing the fix.

SMTP authentication data logging

go-mail claims to ship with sane defaults. While this is true, there was one aspect where this wasn't true: debug logging. The debug logger would potentially expose SMTP authentication data to the logs, which could pose a risk. With v0.5.1 we now redact SMTP authentication data by default as a sane and secure default. We realize though, that you sometimes need access to the authentication data. Therefore two new options were introduced to the Client: WithLogAuthData() and SetLogAuthData(bool). With either of these you can instruct the Client to log full SMTP authentication data again.

Simplification of the message ID generation

As pointed out by @mitar in #326, the way we generated the message ID was much to complicated using different sources of randomness while already using a secure string generator. #329 simplied the message ID generation to only use the secure string generator and get rid of the rest of the strings and numbers we added to the message ID. We now have 64 possible characters to generate a 22 character long string, which provides approx. 132 bits of entropy. This should more than enough to guarantee a unique ID for each message.

What's Changed

• Simplify message id generation and get rid of randnum by @wneessen in #329
• Redact logging of SMTP authentication data by @wneessen in #338
• Add default SMTP authentication type to NewClient by @wneessen in #335
• code duplication reduction for jsonlog.go and stdlog.go by @sarff in #336

CI/CD maintenance changes

• Bump actions/upload-artifact from 4.4.0 to 4.4.1 by @dependabot in #331
• Bump github/codeql-action from 3.26.11 to 3.26.12 by @dependabot in #330
• Bump actions/upload-artifact from 4.4.1 to 4.4.2 by @dependabot in #333
• Bump actions/upload-artifact from 4.4.2 to 4.4.3 by @dependabot in #334
• Bump github/codeql-action from 3.26.12 to 3.26.13 by @dependabot in #337

New Contributors

• @sarff made their first contribution in #336. Thank you very much!

Full Changelog: v0.5.0...v0.5.1

v0.5.0: Concurrency-safety, SCRAM-SHA, improved error handling and better GoDoc documentation // *POTENTIALLY BREAKING*

Welcome to go-mail v0.5.0! This release is a big one, bringing new features and improvements to the go-mail codebase!

Goroutine-/thread-safety (Potentially breaking)

With #307 we've made go-mail goroutine-safe by introducing a sync.Mutex. Concurrency-safety was a much requested feature, now allowing you to dial your Client and then use that Client in different goroutines. While we've added a lot of new tests (including a test SMTP server to which we connect to in different goroutines), this feature has not been extensively tested in an production environment. Therefore we've marked this features (and respectively this release) as a potentially breaking release. If you plan to use go-mail in a concurrency scenario, please test properly and report back any issues.

SCRAM-SHA-1(-PLUS) / SCRAM-SHA-256(-PLUS) SMTP authentication support

With #310 we have introduced SMTP authentication functions for SCRAM-SHA-1(-PLUS) and SCRAM-SHA-256(-PLUS). Most of the ground work was contributed by @drakkan. @wneessen cleaned up the code a bit, added channel bindings support and added several test cases.

SCRAM-SHA-X(-PLUS) isn't commonly supported, yet but I've tested the code with Dovecot (no channel binding support) and mox (supports both) and the code seems to be working properly. Feedback from using SCRAM with other systems is appreciated!

Thanks again to @drakkan for the excellent WIP code.

Improved error handling

With #301 the error handling was refactored in accordance to #168. Errors are not nested into each other anymore. The send logic for a single message has been moved to the non-version-specific Client.go while the version-specific only handle multi-message handling and error combination. Error messages now also refer to a message ID of the message that failed (if present), for easier debugging.

Thanks to @mitar for pointing out the flaws in the old error handling system and for suggesting the improvements.

Enhanced SMTP LOGIN authentication handling

With #312 we've refactored the SMTP LOGIN auth handling, to improve compatibility with various server responses.

In detail: before, we were only roughly following the Microsoft Spec they defined for MS Outlook.
Meaning:

• Sending AUTH LOGIN (server might responds with "Username:")
• Sending the username (server might responds with "Password:")
• Sending the password (server authenticates)

This is the common approach for most mail systems/providers and is the specified way by Microsoft in their MS-XLOGIN spec.

Yet, there is also an old IETF draft for SMTP AUTH LOGIN that states for clients:

The contents of both challenges SHOULD be ignored.

Since there is no official standard RFC and we've seen different implementations of this mechanism (sending "Username:", "Username", "username", "User name", etc.) we now follow the IETF-Draft instead and ignore any server challange to allow compatiblity with most mail servers/providers. This way it works with servers that follow the Microsoft way but also any other kind of implementation (like i. e. Mox).

Improved GoDoc documentation

With #324 we revises the GoDoc documenation comments for the whole package. It provides much more details for each method in a more standardised format, allowing users of the package to get better information on what does what. This is especially helpful for LSP implementations like gopls.

Simplified random number generation

The random methods for generating random numbers have been simplified and the use of crypto/rand has been replaced by math/rand or math/rand/v2 (depending on the used Go version). We've realized that for our use cases, math/rand will provide enough randomness. It simplies the randNum code a lot.

Dependencies (Potentially breaking)

So far, we were always commited to keep go-mail dependency-free, meaning only relying on the Go Stdlib. So far this has been working well and we believe that people appreciate that no further dependcies are added to their project, when they import go-mail. Yet, we've finally reached a point, where adding new features might require us to import some limited dependencies. This happened with the SCRAM support in #310. We've done a poll beforehand to see if the community is fine with this and the common agreement is, that people are ok with a limited, well curated list of external packages as long as the packages are still maintained and have a good security reputation. Therefore this release adds the first dependencies to go-mail - both from the Go extended library:

• golang.org/x/crypto
• golang.org/x/text

As your codebase might not allow for additional dependencies, this feature is also marked as Potentially breaking

We hope you like this release and a big thanks goes out the community that contributed to this release.

What's Changed

• Improved error handling by @wneessen in #301
• Improved client error testing by @wneessen in #302
• More test coverage by @wneessen in #303
• go-mail goroutine-/thread-safety by @wneessen in #307
• SCRAM-SHA-1(-PLUS) / SCRAM-SHA-256(-PLUS) support by @wneessen in #310
• Enhance SMTP LOGIN auth and add comprehensive tests by @wneessen in #312
• Update test recipient email in client tests by @wneessen in #316
• More test coverage for smtp/auth by @wneessen in #317
• Add support for SCRAM-SHA-1-PLUS and SCRAM-SHA-256-PLUS by @wneessen in #323
• Revision of the GoDoc documentation by @wneessen in #324

CI/CD maintenance changes

• Bump step-security/harden-runner from 2.9.1 to 2.10.1 by @dependabot in #297
• Bump github/codeql-action from 3.26.6 to 3.26.7 by @dependabot in #299
• Bump github/codeql-action from 3.26.7 to 3.26.8 by @dependabot in #300
• Bump sonarsource/sonarqube-scan-action from 0c0f3958d90fc466625f1d1af1f47bddd4cc6bd1 to f885e52a7572cf7943f28637e75730227df2dbf2 by @dependabot in #304
• Bump github/codeql-action from 3.26.8 to 3.26.9 by @dependabot in #306
• Bump sonarsource/sonarqube-scan-action from f885e52a7572cf7943f28637e75730227df2dbf2 to 884b79409bbd464b2a59edc326a4b77dc56b2195 by @dependabot in #305
• Bump github/codeql-action from 3.26.9 to 3.26.10 by @dependabot in #309
• Fix GitHub actions by @wneessen in #315
• Bump golang/govulncheck-action from 1.0.3 to 1.0.4 by @dependabot in #314
• Bump codecov/codecov-action from 4.5.0 to 4.6.0 by @dependabot in #313
• Bump golangci/golangci-lint-action from 6.1.0 to 6.1.1 by @dependabot in #318
• Bump github/codeql-action from 3.26.10 to 3.26.11 by @dependabot in #321
• Update GH test workflows by @wneessen in #319
• Update GitHub Actions paths for Go and workflow files by @wneessen in #322

Full Changelog: v0.4.4...v0.5.0

v0.4.4: Re-release due to checksum mismatch

This release is identical to v0.4.3. Nothing changed. Due to an unfortunate misclick on my end, v0.4.3 was released twice which caused a checksum mismatch for some users. This release fixes the issue by releasing as a new tag.

Sorry for the inconveniences this caused.

What's Changed

• Bump github/codeql-action from 3.26.2 to 3.26.3 by @dependabot in #289
• Bump github/codeql-action from 3.26.3 to 3.26.4 by @dependabot in #290
• Bump github/codeql-action from 3.26.4 to 3.26.5 by @dependabot in #291
• Bump github/codeql-action from 3.26.5 to 3.26.6 by @dependabot in #292
• Bump sonarsource/sonarqube-quality-gate-action from 72f24ebf1f81eda168a979ce14b8203273b7c3ad to dc2f7b0dd95544cd550de3028f89193576e958b9 by @dependabot in #293
• Bump actions/upload-artifact from 4.3.6 to 4.4.0 by @dependabot in #294
• Update doc.go by @wneessen in #295

Full Changelog: v0.4.3...v0.4.4