This is as much a way for me to remember in the event I need it in the future, but it took me a lot searching to finally find the answer so it may benefit others as well.
Gmail by default bans the use of less secure apps (e.g. apps that authenticate by a plain password instead of an OAuth token), which can be disabled in the security settings but it’s best to authenticate through OAuth if possible. Msmtp now supports using OAuth to connect and send messages but it requires some setup.
Once you’ve got your refresh token and client IDs add this to your msmtp config file under the appropriate account, editing as needed:
auth oauthbearer passwordeval "/path/to/oauth2.py --quiet --user=username --client_id=XXXXX --client_secret=XXXXX --refresh_token=XXXXXX"
Save and you should be good to go. If you’ve enabled less secure apps in the past go turn it off.