WordPress And Email Deliverability: The Specifics That Matter

WordPress sites send emails through PHP's mail() function by default. The function works on most servers but produces emails that frequently land in spam folders rather than inboxes. Site owners often don't notice the problem because their own email arrives fine; they don't realize their users' emails are being filtered.

The fix is to use SMTP rather than PHP's mail() function, configure authentication correctly, and verify deliverability rather than assuming it works. The specifics matter because partial fixes often produce false confidence.

Why PHP mail() fails

PHP mail() sends emails through the local sendmail or postfix process on the server. The email's "From" address is whatever WordPress sets it to, but the actual sending IP, the sending hostname, and the email envelope characteristics often don't match the From address.

Modern spam filters (Gmail, Outlook, Apple Mail) check whether the sending characteristics align with the From address. Misalignment triggers spam filtering even for legitimate emails.

Specifically, spam filters check:

• Does the sending IP have a valid PTR record matching the From domain?
• Does the From domain have SPF records authorizing the sending IP?
• Is the email signed with DKIM matching the From domain?
• Does the domain have a DMARC policy that's satisfied by SPF or DKIM?

PHP mail() sends emails that fail several of these checks because they're sent from the WordPress server (which isn't authorized to send for the From domain in most setups).

The SMTP fix

Configure WordPress to send emails through SMTP rather than PHP mail(). The pattern: install an SMTP plugin (WP Mail SMTP is the standard choice), configure it with credentials from a transactional email service (Amazon SES, SendGrid, Postmark, Mailgun), and verify the configuration with a test email.

The transactional email services handle: proper sending IP reputation, SPF and DKIM authentication, bounce and complaint handling, deliverability monitoring. The cost is small (typically $5-$20/month for low-volume sending) and the deliverability improvement is large.

The pattern that fails: configuring SMTP through Gmail or another personal email account. Gmail's SMTP works for occasional sends but isn't designed for transactional email volume. The first time WordPress tries to send 50 emails quickly (a bulk notification, a form submission flood), Gmail's SMTP rate-limits or blocks the account.

The authentication setup

SPF: a DNS TXT record at your domain that lists which IP addresses or hostnames are authorized to send email from your domain. The SMTP provider gives you the value to set.

DKIM: a public key in DNS that lets recipients verify the email was actually signed by your domain. The SMTP provider generates the key and gives you the DNS values to set.

DMARC: a policy that tells recipients what to do with emails that fail SPF or DKIM. Starting policy: p=none (don't reject, just report). After verifying everything works: p=quarantine (mark suspicious as spam) or p=reject (block entirely).

All three records need to be set up at your DNS host. The SMTP provider's documentation walks through the specifics. The setup takes 15-30 minutes for someone who knows DNS; longer for someone learning DNS.

The verification

After SMTP configuration, send test emails to several different email providers (a Gmail account, an Outlook account, a Yahoo account, the email of a real user). Check that all of them arrive in inbox rather than spam.

Use mail-tester.com to test deliverability. Send an email to the address it provides; the tool returns a score and identifies any deliverability issues. The score should be 9-10/10. Lower scores point to specific issues to fix.

Use Google Postmaster Tools (postmaster.google.com) to monitor deliverability to Gmail addresses over time. The tools show spam rates, reputation indicators, and authentication results.

The transactional email providers

Amazon SES: cheapest at $0.10 per 1,000 emails. Setup is more technical than alternatives (requires AWS account, IAM configuration). Best for sites with technical comfort and meaningful email volume.

SendGrid: free tier covers 100 emails per day; paid tiers start at $19.95/month. Simpler setup than SES. Wider range of features (templates, marketing email capabilities).

Postmark: $15/month for 10,000 emails. Premium pricing but exceptional deliverability and clean dashboard. Best for transactional email where deliverability is critical (password resets, order confirmations).

Mailgun: $35/month for 50,000 emails. Similar feature set to SendGrid. Strong developer focus.

For most WordPress sites in 2026, Postmark or SendGrid are the appropriate choices depending on budget. Amazon SES makes sense for sites with technical resources and significant email volume.

The specific WordPress email types

WordPress sends several types of email automatically:

• Password reset emails (must arrive; users can't log in without them)
• New user notification emails (admin notifications when users register)
• Comment notifications (sent to commenters when their comments get replies)
• Plugin-specific emails (form submissions, e-commerce order confirmations, membership notifications)

Each of these benefits from reliable SMTP delivery. A password reset that lands in spam costs the user; an order confirmation that lands in spam can damage the business relationship.

The honest framing

Most WordPress sites send email; most WordPress sites have suboptimal email deliverability; most site owners don't realize this. The fix takes 1-2 hours of setup and produces dramatic improvement.

The cost of doing nothing is invisible but real. Users who request password resets and don't receive them try once and give up. Subscribers who don't receive newsletters disengage. Customers who don't receive order confirmations contact support unnecessarily or assume the order failed.

The improvement compounds: better deliverability means users actually receive emails, which means they engage with what the emails contain, which feeds back into engagement signals for the site overall.