WordPress sends emails for everything: contact form submissions, password resets, new user registrations, WooCommerce order confirmations, comment notifications. But out of the box, it uses PHP’s
mail()
function to send them, and that function is terrible at actually getting emails delivered.
The problem is that
mail()
sends email directly from your web server without any authentication. It doesn’t prove that your server is authorized to send email for your domain. To receiving mail servers, these messages look identical to spam sent from a compromised server, because that’s exactly what most unauthenticated email from web servers is. The result: your emails land in spam folders, get silently dropped, or never arrive at all.
SMTP fixes this. Instead of your web server sending email directly, it hands the message to a dedicated mail service that authenticates properly, signs the message, and delivers it through infrastructure that email providers actually trust.
Why PHP mail() fails#
When WordPress calls
mail()
, your web server connects directly to the recipient’s mail server and delivers the message. No username, no password, no verification that your server is allowed to send email for your domain. Here’s what goes wrong:
No authentication. The receiving server has no way to verify the email is legitimate. Gmail, Outlook, and Yahoo all weigh authentication heavily in spam filtering. An unauthenticated email from a random web server IP address is treated with suspicion by default.
No encryption. PHP’s
mail()
typically sends over port 25 without TLS. The message travels in plain text, which is both a security risk and another spam signal to receiving servers.
IP reputation problems. On shared hosting, your server’s IP address is shared with other websites. If any of them send spam (or have been hacked and are sending spam unknowingly), the IP gets blacklisted, and your legitimate emails get caught in the crossfire.
No delivery tracking. When an email fails to deliver via
mail()
, you get no notification, no bounce message, no log entry. The email just disappears. You don’t know it failed until a customer tells you they never received their order confirmation.
SMTP solves all of these. You authenticate with a dedicated email service, messages are signed and encrypted, delivery is tracked, and you get logs showing exactly what happened to every email.
How SMTP works with WordPress#
The setup is straightforward: you install a WordPress plugin that intercepts outgoing emails and routes them through an SMTP server instead of PHP’s
mail()
function. The plugin handles the connection, authentication, and encryption. WordPress and your plugins don’t need any changes; they keep calling the same email functions, and the SMTP plugin handles the delivery method behind the scenes.
You need two things:
- An account with an SMTP email service
- A WordPress SMTP plugin to connect your site to that service
Choosing an SMTP service#
Several services handle transactional email (the kind WordPress sends). They differ in pricing, free tier limits, and features, but they all solve the core problem. Some popular options:
SMTP2Go offers a free tier of 1,000 emails per month with email tracking, bounce management, and a straightforward SMTP setup. Good for small to medium sites.
SendGrid (owned by Twilio) provides 100 free emails per day. Widely used, well-documented, and scales to high volume. Offers both SMTP and API-based sending.
Brevo (formerly Sendinblue) includes 300 free emails per day. Also offers marketing email features if you need them alongside transactional email.
Mailgun targets developers with detailed API documentation and analytics. Includes a free trial, then pay-as-you-go pricing.
Amazon SES is the cheapest option at volume ($0.10 per 1,000 emails) but requires more technical setup. Best suited for developers comfortable with AWS.
Your own email provider. If you have a business email account (Google Workspace, Microsoft 365, Zoho), you can use its SMTP server directly. This works for low-volume sites but most providers cap sending at a few hundred emails per day, which may not be enough for busy WooCommerce stores or membership sites.
For most WordPress sites, a dedicated transactional email service is the better choice. They’re built for this purpose, have strong sender reputations, and provide delivery tracking that consumer email accounts don’t.
Choosing a WordPress SMTP plugin#
Three plugins dominate this space:
WP Mail SMTP is the most widely used. Clean interface, supports all major SMTP providers with guided setup wizards, includes email logging and a test email tool. The free version covers everything most sites need. The pro version adds detailed logging, email tracking, and backup SMTP connections.
Post SMTP (formerly Postman SMTP) is feature-rich and completely free. Offers detailed delivery logs with failure diagnostics, OAuth 2.0 authentication for Gmail and Outlook, and a built-in connectivity test. Slightly more technical to configure but gives you more visibility into what’s happening.
FluentSMTP is a newer free option with a clean interface and support for multiple SMTP connections simultaneously. If one provider fails, it can fall back to another.
All three work well. WP Mail SMTP is the safest choice if you want the simplest setup. Post SMTP is worth considering if you want detailed delivery diagnostics without paying for a premium plugin.
Step-by-step setup with WP Mail SMTP#
This walkthrough uses WP Mail SMTP since it’s the most common choice, but the general process is similar for any SMTP plugin.
Install and activate the plugin
- In your WordPress dashboard, go to Plugins > Add New
- Search for “WP Mail SMTP”
- Click Install Now, then Activate
Configure the sender details
Go to WP Mail SMTP > Settings. Fill in the general settings:
From Email: The address your WordPress emails will be sent from (e.g.,
notifications@yourdomain.com
). This should be an address on your own domain, not a Gmail or Outlook address.
From Name: The sender name recipients will see (e.g., your site name or business name).
Force From Email: Check this box. It ensures all WordPress emails use your configured sender address, overriding any plugin that tries to set its own.
Select your mailer and enter SMTP credentials
Under Mailer, select “Other SMTP” for a generic SMTP connection, or choose your specific provider if it’s listed (Gmail, SendGrid, etc.) for a guided setup.
For a generic SMTP connection, enter these details from your SMTP provider:
SMTP Host: Your provider’s server address (e.g.,
mail.smtp2go.com
for SMTP2Go,
smtp.sendgrid.net
for SendGrid)
Encryption: Select TLS (recommended) or SSL
SMTP Port:
587
for TLS,
465
for SSL. TLS on port 587 is the modern standard.
Authentication: Toggle on
SMTP Username: Your provider’s username (often your email address or an API key)
SMTP Password: Your provider’s password or API key
Save the settings.
Send a test email
Go to the Email Test tab. Enter your email address and click Send Email. Check your inbox (including spam) for the test message.
If the test succeeds, your SMTP configuration is working. If it fails, the error message will usually point to the problem: wrong credentials, blocked port, or incorrect server address.
Troubleshooting failed SMTP connections#
“Could not authenticate” or “Authentication failed”: Your username or password is wrong. Double-check them with your SMTP provider. If using Gmail, you need an App Password (not your regular Google password) since Google disabled less-secure app access.
Connection timed out: Your hosting server can’t reach the SMTP server. This usually means your host blocks outgoing connections on port 587 or 465. Contact your hosting provider to confirm these ports are open. Some hosts block all outgoing SMTP traffic and require you to use their own mail server or a provider API instead of SMTP.
“Certificate verification failed”: A TLS certificate mismatch. Try switching from TLS to SSL (or vice versa) and changing the port accordingly. Some older servers have outdated CA certificates that don’t recognize newer SSL certificates.
Test email succeeds but real emails still go to spam: The SMTP connection is working but your domain’s email authentication records are missing. This is the next section.
Setting up SPF, DKIM, and DMARC#
SMTP gets your emails delivered, but email authentication records tell receiving servers that those emails are legitimate. Without them, your emails may still land in spam, even through a proper SMTP connection.
These are DNS records you add to your domain. Your SMTP provider will give you the specific values.
SPF (Sender Policy Framework)
SPF tells receiving mail servers which servers are authorized to send email for your domain. It’s a TXT record in your DNS.
A typical SPF record looks like this:
v=spf1 include:_spf.smtp2go.com ~all
This says: “Emails from my domain are legitimate if they come from SMTP2Go’s servers. Treat everything else with suspicion.”
If you use multiple email services (e.g., Google Workspace for business email and SMTP2Go for WordPress), include all of them:
v=spf1 include:_spf.google.com include:_spf.smtp2go.com ~all
You can only have one SPF record per domain. If you already have one, add the new
include:
to the existing record rather than creating a second one.
DKIM (DomainKeys Identified Mail)
DKIM adds a cryptographic signature to every email you send. The receiving server checks this signature against a public key published in your DNS to verify the email hasn’t been tampered with and came from an authorized sender.
Your SMTP provider generates the DKIM key pair and gives you a DNS record to publish. It’s typically a TXT or CNAME record that looks something like:
s123456._domainkey.yourdomain.com CNAME s123456.domainkey.smtp2go.com
The exact format varies by provider. Follow your provider’s specific instructions for this one.
DMARC (Domain-based Message Authentication, Reporting, and Conformance)
DMARC ties SPF and DKIM together with a policy that tells receiving servers what to do when authentication fails. It also provides reporting so you can see who’s sending email using your domain.
Start with a monitoring-only policy:
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com
This doesn’t block anything. It just collects reports showing which servers are sending email using your domain and whether those emails pass SPF and DKIM. Review the reports for a few weeks to make sure everything legitimate is passing.
Once you’re confident, tighten the policy:
v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.com
p=quarantine
sends failing emails to spam.
p=reject
blocks them entirely. Move to
reject
once you’re sure all legitimate email sources are authenticated.
Verify your records
After adding DNS records, verify them with a tool like MXToolbox or your SMTP provider’s built-in verification. DNS changes can take up to 48 hours to propagate, though most take effect within an hour.
Send another test email after verification. Check the email headers (in Gmail: click the three dots > “Show original”) and look for:
spf=pass
dkim=pass
dmarc=pass
All three should show
pass
. If any show
fail
or
neutral
, revisit the corresponding DNS record.
Common WordPress email scenarios#
Contact forms (WPForms, Contact Form 7, Gravity Forms): These rely on WordPress’s email function, so they automatically use your SMTP configuration once it’s set up. No additional configuration needed in the form plugin.
WooCommerce order emails: WooCommerce sends a high volume of transactional emails (order confirmations, shipping notifications, refund receipts). SMTP is especially important here since a customer who doesn’t receive their order confirmation will contact support or dispute the charge. Make sure your SMTP provider’s sending limits can handle your order volume.
User registration and password resets: These are critical emails that users expect immediately. If they don’t arrive within a few seconds, users assume they failed and either abandon the process or flood your support queue. SMTP with a reliable provider ensures these arrive promptly.
Scheduled emails from plugins (newsletters, digests, notifications): If you use a plugin that sends scheduled bulk emails, check that it’s compatible with your SMTP plugin. Some bulk email plugins bypass the WordPress mail function and connect directly to an email API, in which case the SMTP plugin doesn’t apply to those messages.
Maintaining your SMTP setup#
Monitor your email logs. WP Mail SMTP and Post SMTP both log sent emails. Check these periodically for failures. A sudden spike in failed deliveries could mean your SMTP credentials expired, your provider suspended your account, or your sending domain’s reputation has changed.
Keep your plugin updated. SMTP plugins handle authentication credentials, so security patches matter. Update promptly when new versions are released.
Watch your sending limits. Free tiers have monthly or daily caps. If your site grows past those limits, emails will queue up or fail silently. Upgrade your plan before you hit the ceiling, not after customers start complaining.
Rotate credentials if compromised. If you suspect your SMTP credentials have been exposed (a plugin vulnerability, a compromised server, credentials committed to a public repository), regenerate them through your SMTP provider immediately and update the plugin settings.
Check out the WP Mail SMTP documentation for detailed plugin-specific guidance, or the WordPress email documentation for how WordPress handles email under the hood.
Try Hostney web hosting free for 14 days. Every plan includes full SSH access, free SSL, and a server environment where outgoing SMTP ports are open and ready to connect to the email provider of your choice.