diff --git a/admin/database_updates.php b/admin/database_updates.php
index dd6442a3..f97ce66b 100644
--- a/admin/database_updates.php
+++ b/admin/database_updates.php
@@ -3983,11 +3983,20 @@ if (LATEST_DATABASE_VERSION > CURRENT_DATABASE_VERSION) {
 
         mysqli_query($mysqli, "UPDATE `settings` SET `config_current_database_version` = '2.3.3'");
     }
+
+    if (CURRENT_DATABASE_VERSION == '2.3.3') {
+
+        mysqli_query($mysqli, "ALTER TABLE settings 
+            ADD `config_smtp_provider` ENUM('standard_smtp','google_oauth','microsoft_oauth') NULL DEFAULT NULL AFTER `config_start_page`
+        ");
+
+        mysqli_query($mysqli, "UPDATE `settings` SET `config_current_database_version` = '2.3.4'");
+    }
     
-    // if (CURRENT_DATABASE_VERSION == '2.3.3') {
-    //     // Insert queries here required to update to DB version 2.3.3
+    // if (CURRENT_DATABASE_VERSION == '2.3.4') {
+    //     // Insert queries here required to update to DB version 2.3.4
     //     // Then, update the database to the next sequential version
-    //     mysqli_query($mysqli, "UPDATE `settings` SET `config_current_database_version` = '2.3.4'");
+    //     mysqli_query($mysqli, "UPDATE `settings` SET `config_current_database_version` = '2.3.5'");
     // }
 
 } else {
diff --git a/admin/post/settings_mail.php b/admin/post/settings_mail.php
index 7954aafb..daf479e3 100644
--- a/admin/post/settings_mail.php
+++ b/admin/post/settings_mail.php
@@ -3,114 +3,87 @@
 defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
 
 if (isset($_POST['edit_mail_smtp_settings'])) {
-
+    
     validateCSRFToken($_POST['csrf_token']);
 
-    $config_smtp_host = sanitizeInput($_POST['config_smtp_host']);
-    $config_smtp_port = intval($_POST['config_smtp_port']);
-    $config_smtp_encryption = sanitizeInput($_POST['config_smtp_encryption']);
-    $config_smtp_username = sanitizeInput($_POST['config_smtp_username']);
-    $config_smtp_password = sanitizeInput($_POST['config_smtp_password']);
+    $config_smtp_provider            = sanitizeInput($_POST['config_smtp_provider'] ?? 'standard_smtp');
+    $config_smtp_host                = sanitizeInput($_POST['config_smtp_host']);
+    $config_smtp_port                = intval($_POST['config_smtp_port'] ?? 0);
+    $config_smtp_encryption          = sanitizeInput($_POST['config_smtp_encryption']);
+    $config_smtp_username            = sanitizeInput($_POST['config_smtp_username']);
+    $config_smtp_password            = sanitizeInput($_POST['config_smtp_password']);
 
-    mysqli_query($mysqli,"UPDATE settings SET config_smtp_host = '$config_smtp_host', config_smtp_port = $config_smtp_port, config_smtp_encryption = '$config_smtp_encryption', config_smtp_username = '$config_smtp_username', config_smtp_password = '$config_smtp_password' WHERE company_id = 1");
+    // Shared OAuth fields
+    $config_mail_oauth_client_id     = sanitizeInput($_POST['config_mail_oauth_client_id']);
+    $config_mail_oauth_client_secret = sanitizeInput($_POST['config_mail_oauth_client_secret']);
+    $config_mail_oauth_tenant_id     = sanitizeInput($_POST['config_mail_oauth_tenant_id']);
+    $config_mail_oauth_refresh_token = sanitizeInput($_POST['config_mail_oauth_refresh_token']);
+    $config_mail_oauth_access_token  = sanitizeInput($_POST['config_mail_oauth_access_token']);
 
-    logAction("Settings", "Edit", "$session_name edited SMTP mail settings");
+    mysqli_query($mysqli, "
+        UPDATE settings SET
+            config_smtp_provider              = " . ($config_smtp_provider === 'none' ? "NULL" : "'$config_smtp_provider'") . ",
+            config_smtp_host                  = '$config_smtp_host',
+            config_smtp_port                  = $config_smtp_port,
+            config_smtp_encryption            = '$config_smtp_encryption',
+            config_smtp_username              = '$config_smtp_username',
+            config_smtp_password              = '$config_smtp_password',
+            config_mail_oauth_client_id       = '$config_mail_oauth_client_id',
+            config_mail_oauth_client_secret   = '$config_mail_oauth_client_secret',
+            config_mail_oauth_tenant_id       = '$config_mail_oauth_tenant_id',
+            config_mail_oauth_refresh_token   = '$config_mail_oauth_refresh_token',
+            config_mail_oauth_access_token    = '$config_mail_oauth_access_token'
+        WHERE company_id = 1
+    ");
 
+    logAction("Settings", "Edit", "$session_name edited SMTP settings");
+    
     flash_alert("SMTP Mail Settings updated");
-
+    
     redirect();
 
 }
 
 if (isset($_POST['edit_mail_imap_settings'])) {
-
+    
     validateCSRFToken($_POST['csrf_token']);
 
-    // Provider ('' -> NULL allowed)
-    $config_imap_provider = sanitizeInput($_POST['config_imap_provider']);
-    $allowed_providers = ['standard_imap','google_oauth','microsoft_oauth'];
-    if ($config_imap_provider !== '' && !in_array($config_imap_provider, $allowed_providers, true)) {
-        $config_imap_provider = 'standard_imap'; // fallback
-    }
+    $config_imap_provider            = sanitizeInput($_POST['config_imap_provider'] ?? 'standard_imap');
+    $config_imap_host                = sanitizeInput($_POST['config_imap_host']);
+    $config_imap_port                = intval($_POST['config_imap_port'] ?? 0);
+    $config_imap_encryption          = sanitizeInput($_POST['config_imap_encryption']);
+    $config_imap_username            = sanitizeInput($_POST['config_imap_username']);
+    $config_imap_password            = sanitizeInput($_POST['config_imap_password']);
 
-    // Standard IMAP fields (kept for all providers; OAuth still needs these endpoints)
-    $config_imap_host        = sanitizeInput($_POST['config_imap_host']);
-    $config_imap_port        = (int) sanitizeInput($_POST['config_imap_port']);
-    $config_imap_encryption  = sanitizeInput($_POST['config_imap_encryption']); // '', 'tls', 'ssl'
-    $config_imap_username    = sanitizeInput($_POST['config_imap_username']);
-    $config_imap_password    = sanitizeInput($_POST['config_imap_password']);   // ignored if OAuth selected
+    // Shared OAuth fields
+    $config_mail_oauth_client_id     = sanitizeInput($_POST['config_mail_oauth_client_id']);
+    $config_mail_oauth_client_secret = sanitizeInput($_POST['config_mail_oauth_client_secret']);
+    $config_mail_oauth_tenant_id     = sanitizeInput($_POST['config_mail_oauth_tenant_id']);
+    $config_mail_oauth_refresh_token = sanitizeInput($_POST['config_mail_oauth_refresh_token']);
+    $config_mail_oauth_access_token  = sanitizeInput($_POST['config_mail_oauth_access_token']);
 
-    // Shared OAuth fields (may or may not be present in your form yet)
-    $config_mail_oauth_client_id                = sanitizeInput($_POST['config_mail_oauth_client_id']);
-    $config_mail_oauth_client_secret            = sanitizeInput($_POST['config_mail_oauth_client_secret']);
-    $config_mail_oauth_tenant_id                = sanitizeInput($_POST['config_mail_oauth_tenant_id']); // M365 only; harmless to keep when Google
-    $config_mail_oauth_refresh_token            = sanitizeInput($_POST['config_mail_oauth_refresh_token']);
-    $config_mail_oauth_access_token             = sanitizeInput($_POST['config_mail_oauth_access_token']); // optional manual paste
-    $config_mail_oauth_access_token_expires_at  = sanitizeInput($_POST['config_mail_oauth_access_token_expires_at']); // 'YYYY-mm-dd HH:ii:ss' optional
-
-    // If provider is not OAuth, purge OAuth values on save
-    $is_oauth = ($config_imap_provider === 'google_oauth' || $config_imap_provider === 'microsoft_oauth');
-
-    // Detect refresh token change to invalidate access token cache
-    // (Relies on $config_mail_oauth_refresh_token loaded earlier with settings)
-    $refresh_changed = false;
-    if ($is_oauth) {
-        $prev_refresh = isset($config_mail_oauth_refresh_token_current) ? $config_mail_oauth_refresh_token_current : ($config_mail_oauth_refresh_token ?? '');
-        // If you already load settings into $config_mail_oauth_refresh_token, use that:
-        if (isset($config_mail_oauth_refresh_token)) {
-            $prev_refresh = $config_mail_oauth_refresh_token;
-        }
-        $refresh_changed = ($config_mail_oauth_refresh_token !== '' && $config_mail_oauth_refresh_token !== $prev_refresh)
-                           || ($config_mail_oauth_refresh_token === '' && $prev_refresh !== '');
-    }
-
-    // If OAuth refresh changed or provider just switched to non-OAuth, clear access token values
-    if (!$is_oauth || $refresh_changed) {
-        $config_mail_oauth_access_token = '';
-        $config_mail_oauth_access_token_expires_at = '';
-    }
-
-    // Helper for NULL / quoted values
-    $q = fn($v) => ($v !== '' ? "'" . mysqli_real_escape_string($mysqli, $v) . "'" : "NULL");
-
-    // Build UPDATE with correct NULL handling
-    $sql = "
+    mysqli_query($mysqli, "
         UPDATE settings SET
-            config_imap_provider = " . ($config_imap_provider !== '' ? $q($config_imap_provider) : "NULL") . ",
-            config_imap_host = " . $q($config_imap_host) . ",
-            config_imap_port = " . (int)$config_imap_port . ",
-            config_imap_encryption = " . $q($config_imap_encryption) . ",
-            config_imap_username = " . $q($config_imap_username) . ",
-            config_imap_password = " . ($is_oauth ? "NULL" : $q($config_imap_password)) . ",
-
-            -- Shared OAuth fields (kept even if provider is Google or Microsoft; NULL if not used)
-            config_mail_oauth_client_id = " . ($is_oauth ? $q($config_mail_oauth_client_id) : "NULL") . ",
-            config_mail_oauth_client_secret = " . ($is_oauth ? $q($config_mail_oauth_client_secret) : "NULL") . ",
-            config_mail_oauth_tenant_id = " . ($is_oauth ? $q($config_mail_oauth_tenant_id) : "NULL") . ",
-            config_mail_oauth_refresh_token = " . ($is_oauth ? $q($config_mail_oauth_refresh_token) : "NULL") . ",
-            config_mail_oauth_access_token = " . ($is_oauth ? $q($config_mail_oauth_access_token) : "NULL") . ",
-            config_mail_oauth_access_token_expires_at = " . ($is_oauth ? $q($config_mail_oauth_access_token_expires_at) : "NULL") . "
+            config_imap_provider              = " . ($config_imap_provider === 'none' ? "NULL" : "'$config_imap_provider'") . ",
+            config_imap_host                  = '$config_imap_host',
+            config_imap_port                  = $config_imap_port,
+            config_imap_encryption            = '$config_imap_encryption',
+            config_imap_username              = '$config_imap_username',
+            config_imap_password              = '$config_imap_password',
+            config_mail_oauth_client_id       = '$config_mail_oauth_client_id',
+            config_mail_oauth_client_secret   = '$config_mail_oauth_client_secret',
+            config_mail_oauth_tenant_id       = '$config_mail_oauth_tenant_id',
+            config_mail_oauth_refresh_token   = '$config_mail_oauth_refresh_token',
+            config_mail_oauth_access_token    = '$config_mail_oauth_access_token'
         WHERE company_id = 1
-    ";
-
-    mysqli_query($mysqli, $sql);
-
-    logAction("Settings", "Edit", "$session_name edited IMAP/OAuth mail settings");
-
-    // Friendly hint about what was saved
-    if ($config_imap_provider === '') {
-        flash_alert("IMAP monitoring disabled (provider not configured).");
-    } elseif ($config_imap_provider === 'standard_imap') {
-        flash_alert("IMAP settings updated (standard username/password).");
-    } elseif ($config_imap_provider === 'google_oauth') {
-        flash_alert("IMAP settings updated for Google Workspace (OAuth).");
-    } elseif ($config_imap_provider === 'microsoft_oauth') {
-        flash_alert("IMAP settings updated for Microsoft 365 (OAuth).");
-    } else {
-        flash_alert("IMAP settings updated.");
-    }
+    ");
 
+    logAction("Settings", "Edit", "$session_name edited IMAP settings");
+    
+    flash_alert("IMAP Mail Settings updated");
+    
     redirect();
+
 }
 
 if (isset($_POST['edit_mail_from_settings'])) {
diff --git a/admin/settings_mail.php b/admin/settings_mail.php
index ec18b8bb..1b6acea1 100644
--- a/admin/settings_mail.php
+++ b/admin/settings_mail.php
@@ -10,61 +10,87 @@ require_once "includes/inc_all_admin.php";
             <form action="post.php" method="post" autocomplete="off">
                 <input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token'] ?>">
 
+                <!-- SMTP Provider -->
                 <div class="form-group">
-                    <label>SMTP Host</label>
+                    <label>SMTP Provider</label>
                     <div class="input-group">
                         <div class="input-group-prepend">
-                            <span class="input-group-text"><i class="fa fa-fw fa-server"></i></span>
+                            <span class="input-group-text"><i class="fa fa-fw fa-cloud"></i></span>
                         </div>
-                        <input type="text" class="form-control" name="config_smtp_host" placeholder="Mail Server Address" value="<?php echo nullable_htmlentities($config_smtp_host); ?>" required>
-                    </div>
-                </div>
-
-                <div class="form-group">
-                    <label>SMTP Port</label>
-                    <div class="input-group">
-                        <div class="input-group-prepend">
-                            <span class="input-group-text"><i class="fa fa-fw fa-plug"></i></span>
-                        </div>
-                        <input type="number" min="0" class="form-control" name="config_smtp_port" placeholder="Mail Server Port Number" value="<?php echo intval($config_smtp_port); ?>" required>
-                    </div>
-                </div>
-
-                <div class="form-group">
-                    <label>Encryption</label>
-                    <div class="input-group">
-                        <div class="input-group-prepend">
-                            <span class="input-group-text"><i class="fa fa-fw fa-lock"></i></span>
-                        </div>
-                        <select class="form-control" name="config_smtp_encryption">
-                            <option value=''>None</option>
-                            <option <?php if ($config_smtp_encryption == 'tls') { echo "selected"; } ?> value="tls">TLS</option>
-                            <option <?php if ($config_smtp_encryption == 'ssl') { echo "selected"; } ?> value="ssl">SSL</option>
+                        <select class="form-control" name="config_smtp_provider" id="config_smtp_provider">
+                            <option value="none" <?php if(($config_smtp_provider ?? '')==='none' || ($config_smtp_provider ?? '')==='') echo 'selected'; ?>>None (Disabled)</option>
+                            <option value="standard_smtp" <?php if(($config_smtp_provider ?? 'standard_smtp')==='standard_smtp') echo 'selected'; ?>>Standard SMTP (Username/Password)</option>
+                            <option value="google_oauth" <?php if(($config_smtp_provider ?? '')==='google_oauth') echo 'selected'; ?>>Google Workspace (OAuth)</option>
+                            <option value="microsoft_oauth" <?php if(($config_smtp_provider ?? '')==='microsoft_oauth') echo 'selected'; ?>>Microsoft 365 (OAuth)</option>
                         </select>
                     </div>
+                    <small class="text-secondary d-block mt-1" id="smtp_provider_hint">
+                        Choose your SMTP provider. OAuth options ignore the SMTP password here.
+                    </small>
                 </div>
 
-                <div class="form-group">
-                    <label>SMTP Username</label>
-                    <div class="input-group">
-                        <div class="input-group-prepend">
-                            <span class="input-group-text"><i class="fa fa-fw fa-user"></i></span>
-                        </div>
-                        <input type="text" class="form-control" name="config_smtp_username" placeholder="Username (Leave blank if no auth is required)" value="<?php echo nullable_htmlentities($config_smtp_username); ?>">
-                    </div>
-                </div>
 
-                <div class="form-group">
-                    <label>SMTP Password</label>
-                    <div class="input-group">
-                        <div class="input-group-prepend">
-                            <span class="input-group-text"><i class="fa fa-fw fa-key"></i></span>
-                        </div>
-                        <input type="password" class="form-control" data-toggle="password" name="config_smtp_password" placeholder="Password (Leave blank if no auth is required)" value="<?php echo nullable_htmlentities($config_smtp_password); ?>" autocomplete="new-password">
-                        <div class="input-group-append">
-                            <span class="input-group-text"><i class="fa fa-fw fa-eye"></i></span>
+                <!-- Standard SMTP fields (show only for standard_smtp) -->
+                <div id="smtp_standard_fields">
+                    <div class="form-group">
+                        <label>SMTP Host</label>
+                        <div class="input-group">
+                            <div class="input-group-prepend">
+                                <span class="input-group-text"><i class="fa fa-fw fa-server"></i></span>
+                            </div>
+                            <input type="text" class="form-control" name="config_smtp_host" placeholder="Mail Server Address" value="<?php echo nullable_htmlentities($config_smtp_host); ?>" required>
                         </div>
                     </div>
+
+                    <div class="form-group">
+                        <label>SMTP Port</label>
+                        <div class="input-group">
+                            <div class="input-group-prepend">
+                                <span class="input-group-text"><i class="fa fa-fw fa-plug"></i></span>
+                            </div>
+                            <input type="number" min="0" class="form-control" name="config_smtp_port" placeholder="Mail Server Port Number" value="<?php echo intval($config_smtp_port); ?>" required>
+                        </div>
+                    </div>
+
+                    <div class="form-group">
+                        <label>Encryption</label>
+                        <div class="input-group">
+                            <div class="input-group-prepend">
+                                <span class="input-group-text"><i class="fa fa-fw fa-lock"></i></span>
+                            </div>
+                            <select class="form-control" name="config_smtp_encryption">
+                                <option value=''>None</option>
+                                <option <?php if ($config_smtp_encryption == 'tls') { echo "selected"; } ?> value="tls">TLS</option>
+                                <option <?php if ($config_smtp_encryption == 'ssl') { echo "selected"; } ?> value="ssl">SSL</option>
+                            </select>
+                        </div>
+                    </div>
+
+                    <div class="form-group">
+                        <label>SMTP Username</label>
+                        <div class="input-group">
+                            <div class="input-group-prepend">
+                                <span class="input-group-text"><i class="fa fa-fw fa-user"></i></span>
+                            </div>
+                            <input type="text" class="form-control" name="config_smtp_username" placeholder="Username (Leave blank if no auth is required)" value="<?php echo nullable_htmlentities($config_smtp_username); ?>">
+                        </div>
+                    </div>
+
+                    <div class="form-group" id="smtp_password_group">
+                        <div class="form-group">
+                            <label>SMTP Password</label>
+                            <div class="input-group">
+                                <div class="input-group-prepend">
+                                    <span class="input-group-text"><i class="fa fa-fw fa-key"></i></span>
+                                </div>
+                                <input type="password" class="form-control" data-toggle="password" name="config_smtp_password" placeholder="Password (Leave blank if no auth is required)" value="<?php echo nullable_htmlentities($config_smtp_password); ?>" autocomplete="new-password">
+                                <div class="input-group-append">
+                                    <span class="input-group-text"><i class="fa fa-fw fa-eye"></i></span>
+                                </div>
+                            </div>
+                        </div>
+                    </div>
+
                 </div>
 
                 <hr>
@@ -159,9 +185,10 @@ require_once "includes/inc_all_admin.php";
                     </div>
                 </div>
 
-                <div id="oauth_fields" style="display:none;">
+                <!-- OAuth shared fields (show for google_oauth / microsoft_oauth) -->
+                <div id="smtp_oauth_fields" style="display:none;">
                     <hr>
-                    <h5 class="mb-2">OAuth Settings</h5>
+                    <h5 class="mb-2">OAuth Settings (shared for IMAP & SMTP)</h5>
                     <p class="text-secondary" id="oauth_hint">
                         Configure OAuth credentials for the selected provider.
                     </p>
@@ -403,64 +430,65 @@ require_once "includes/inc_all_admin.php";
 
 <script>
 (function(){
-  const sel = document.getElementById('config_imap_provider');
-  const pwdGrp = document.getElementById('imap_password_group');
-  const oauthWrap = document.getElementById('oauth_fields');
-  const standardWrap = document.getElementById('standard_fields');
-  const tenantRow = document.getElementById('tenant_row');
-  const oauthHint = document.getElementById('oauth_hint');
-  const providerHint = document.getElementById('imap_provider_hint');
-
   function setDisabled(container, disabled){
     if(!container) return;
-    container.querySelectorAll('input, select, textarea').forEach(el => {
-      el.disabled = !!disabled;
-    });
+    container.querySelectorAll('input, select, textarea').forEach(el => el.disabled = !!disabled);
   }
 
-  function toggleFields(){
-    if(!sel) return;
-    const v = sel.value || '';
-    const isNone = v === '';
-    const isStd  = v === 'standard_imap';
-    const isG    = v === 'google_oauth';
-    const isM    = v === 'microsoft_oauth';
-    const isOAuth = isG || isM;
+  function wireProvider(selectId, standardWrapId, passwordGroupId, oauthWrapId, tenantRowId, hintId, oauthHintId){
+    const sel   = document.getElementById(selectId);
+    const std   = document.getElementById(standardWrapId);
+    const pwd   = document.getElementById(passwordGroupId);
+    const oauth = document.getElementById(oauthWrapId);
+    const ten   = document.getElementById(tenantRowId);
+    const hint  = document.getElementById(hintId);
+    const ohint = document.getElementById(oauthHintId);
 
-    // Show/hide containers
-    if (pwdGrp)        pwdGrp.style.display       = isStd ? '' : 'none';
-    if (oauthWrap)     oauthWrap.style.display    = isOAuth ? '' : 'none';
-    if (standardWrap)  standardWrap.style.display = isStd ? '' : 'none';
-    if (tenantRow)     tenantRow.style.display    = isM ? '' : 'none';
+    function toggle(){
+      const v = (sel && sel.value) || '';
+      const isNone  = (v === 'none' || v === '');
+      const isStd   = v === 'standard_smtp' || v === 'standard_imap';
+      const isG     = v === 'google_oauth';
+      const isM     = v === 'microsoft_oauth';
+      const isOAuth = isG || isM;
 
-    // Disable inputs inside hidden sections to avoid accidental submission
-    setDisabled(pwdGrp,       !isStd);
-    setDisabled(standardWrap, !isStd);
-    setDisabled(oauthWrap,    !isOAuth);
+      if (std)   std.style.display   = isStd ? '' : 'none';
+      if (pwd)   pwd.style.display   = isStd ? '' : 'none';
+      if (oauth) oauth.style.display = isOAuth ? '' : 'none';
+      if (ten)   ten.style.display   = isM ? '' : 'none';
 
-    // Update hints
-    if (providerHint) {
-      providerHint.textContent = isNone
-        ? 'Choose a provider to reveal the relevant settings.'
-        : isStd
-          ? 'Standard IMAP: provide host, port, encryption, username, and password.'
-          : isG
-            ? 'Google Workspace OAuth: provide Client ID & Secret; paste the refresh token; username should be the mailbox address.'
-            : 'Microsoft 365 OAuth: provide Client ID, Secret & Tenant ID; paste the refresh token; username should be the mailbox address.';
-    }
-    if (oauthHint) {
-      oauthHint.textContent = isG
-        ? 'Google Workspace OAuth: Client ID & Secret from Google Cloud; Refresh token generated via OAuth consent.'
-        : isM
-          ? 'Microsoft 365 OAuth: Client ID, Secret & Tenant ID from Entra ID; Refresh token generated via OAuth consent.'
-          : 'Configure OAuth credentials for the selected provider.';
+      setDisabled(std,   !isStd);
+      setDisabled(pwd,   !isStd);
+      setDisabled(oauth, !isOAuth);
+
+      if (hint) {
+        hint.textContent = isNone
+          ? 'Disabled.'
+          : isStd
+            ? 'Standard: provide host, port, encryption, username & password.'
+            : isG
+              ? 'Google OAuth: set Client ID/Secret; paste a refresh token; username should be the mailbox email.'
+              : 'Microsoft 365 OAuth: set Client ID/Secret/Tenant; paste a refresh token; username should be the mailbox email.';
+      }
+      if (ohint) {
+        ohint.textContent = isG
+          ? 'Google Workspace OAuth: Client ID/Secret from Google Cloud; Refresh token via consent.'
+          : isM
+            ? 'Microsoft 365 OAuth: Client ID/Secret/Tenant from Entra ID; Refresh token via consent.'
+            : 'Configure OAuth credentials for the selected provider.';
+      }
     }
+
+    if (sel) { sel.addEventListener('change', toggle); toggle(); }
   }
 
-  if (sel) {
-    sel.addEventListener('change', toggleFields);
-    toggleFields();
-  }
+  // IMAP (you already have these IDs in your page)
+  wireProvider('config_imap_provider', 'standard_fields', 'imap_password_group',
+               'oauth_fields', 'tenant_row', 'imap_provider_hint', 'oauth_hint');
+
+  // SMTP (the IDs we just added)
+  wireProvider('config_smtp_provider', 'smtp_standard_fields', 'smtp_password_group',
+               'smtp_oauth_fields', 'smtp_tenant_row', 'smtp_provider_hint', 'smtp_oauth_hint');
 })();
 </script>
 
diff --git a/db.sql b/db.sql
index 8e1f4443..ee73d44d 100644
--- a/db.sql
+++ b/db.sql
@@ -1981,6 +1981,7 @@ CREATE TABLE `settings` (
   `company_id` int(11) NOT NULL,
   `config_current_database_version` varchar(10) NOT NULL,
   `config_start_page` varchar(200) DEFAULT 'clients.php',
+  `config_smtp_provider` enum('standard_smtp','google_oauth','microsoft_oauth') DEFAULT NULL,
   `config_smtp_host` varchar(200) DEFAULT NULL,
   `config_smtp_port` int(5) DEFAULT NULL,
   `config_smtp_encryption` varchar(200) DEFAULT NULL,
@@ -2765,4 +2766,4 @@ CREATE TABLE `vendors` (
 /*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */;
 /*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */;
 
--- Dump completed on 2025-09-12 15:55:31
+-- Dump completed on 2025-09-15 17:22:23
diff --git a/functions.php b/functions.php
index 70c9117a..272bd397 100644
--- a/functions.php
+++ b/functions.php
@@ -7,10 +7,13 @@ DEFINE("WORDING_ROLECHECK_FAILED", "You are not permitted to do that!");
 require_once "plugins/PHPMailer/src/Exception.php";
 require_once "plugins/PHPMailer/src/PHPMailer.php";
 require_once "plugins/PHPMailer/src/SMTP.php";
+require_once "plugins/PHPMailer/src/OAuthTokenProvider.php";
+require_once "plugins/PHPMailer/src/OAuth.php";
 
 // Initiate PHPMailer
 use PHPMailer\PHPMailer\PHPMailer;
 use PHPMailer\PHPMailer\Exception;
+use PHPMailer\PHPMailer\OAuthTokenProvider;
 
 // Function to generate both crypto & URL safe random strings
 function randomString($length = 16) {
@@ -688,6 +691,23 @@ function validateAccountantRole() {
     }
 }
 
+/**
+ * Minimal token provider for PHPMailer XOAUTH2 without external deps.
+ */
+class StaticTokenProvider implements OAuthTokenProvider {
+    private $email;
+    private $accessToken;
+    public function __construct(string $email, string $accessToken) {
+        $this->email = $email;
+        $this->accessToken = $accessToken;
+    }
+    public function getOauth64(): string {
+        // XOAUTH2 SASL string: "user=<email>\x01auth=Bearer <token>\x01\x01"
+        $authString = "user={$this->email}\x01auth=Bearer {$this->accessToken}\x01\x01";
+        return base64_encode($authString);
+    }
+}
+
 // Send a single email to a single recipient
 function sendSingleEmail($config_smtp_host, $config_smtp_username, $config_smtp_password, $config_smtp_encryption, $config_smtp_port, $from_email, $from_name, $to_email, $to_name, $subject, $body, $ics_str)
 {
diff --git a/includes/database_version.php b/includes/database_version.php
index b4caf4ef..fed44bcb 100644
--- a/includes/database_version.php
+++ b/includes/database_version.php
@@ -5,4 +5,4 @@
  * It is used in conjunction with database_updates.php
  */
 
-DEFINE("LATEST_DATABASE_VERSION", "2.3.3");
+DEFINE("LATEST_DATABASE_VERSION", "2.3.4");
diff --git a/includes/load_global_settings.php b/includes/load_global_settings.php
index 6bb95226..a872ec6f 100644
--- a/includes/load_global_settings.php
+++ b/includes/load_global_settings.php
@@ -12,6 +12,7 @@ $config_azure_client_id = $row['config_azure_client_id'];
 $config_azure_client_secret = $row['config_azure_client_secret'];
 
 // Mail - SMTP
+$config_smtp_provider = $row['config_smtp_provider'];
 $config_smtp_host = $row['config_smtp_host'];
 $config_smtp_port = intval($row['config_smtp_port']);
 $config_smtp_encryption = $row['config_smtp_encryption'];