Hosting & VPS Guides

WordPress Email and DNS: SPF, DKIM and Deliverability Basics

Practical guide to WordPress email delivery: SMTP, contact forms, SPF, DKIM, DMARC, MX records, WooCommerce emails and common spam-folder issues.

By CheckDomainHealth Editorial Team Reviewed by Dionis Ceban Updated Jun 28, 2026 8 min read Beginner

Introduction

WordPress sends email for contact forms, password resets, admin notifications, WooCommerce orders, user registrations and plugin alerts. But WordPress email often fails because the website sends messages without proper authentication or uses the wrong sender address.

Good WordPress email delivery depends on two parts: the sending method inside WordPress and the DNS records for the domain. The safest setup is usually authenticated SMTP or a transactional email provider combined with correct SPF, DKIM and DMARC records.

Quick answer

Quick answer

To improve WordPress email delivery, do not rely only on default PHP mail. Use authenticated SMTP or a transactional email provider, send from an address on your domain, set visitor emails as Reply-To, configure SPF, enable DKIM, publish DMARC, check MX records and test message headers after setup.

WordPress email basics

WordPress email means any message generated by WordPress, plugins or WooCommerce.

Common WordPress emails:

  • contact form submissions
  • password reset emails
  • new user notifications
  • WooCommerce order confirmations
  • customer account emails
  • booking notifications
  • admin alerts
  • plugin security alerts
  • comment notifications
  • membership emails
  • form confirmations

WordPress itself is not an email hosting provider. It needs a reliable sending method and properly configured DNS to deliver messages consistently.

Why WordPress emails fail

WordPress emails often fail because the server sends mail in a way that receiving mailboxes do not trust.

Common causes:

  • default PHP mail used
  • no authenticated SMTP
  • SPF does not authorize the sending server
  • DKIM is missing
  • DMARC alignment fails
  • From address is spoofed
  • contact form uses visitor email as From
  • shared hosting IP reputation is poor
  • mail is sent from a different provider than DNS allows
  • plugin sends too many messages
  • hosting provider blocks or limits mail
  • messages look spam-like
  • domain or IP is blacklisted

The fix is usually not only one plugin. WordPress, SMTP and DNS must match each other.

PHP mail vs SMTP in WordPress

PHP mail

  • easy by default
  • may not authenticate correctly
  • harder to trace
  • often limited by hosting provider
  • may fail SPF/DMARC alignment
  • can be abused by compromised sites

Authenticated SMTP

  • sends through a real mail service
  • uses login credentials or API
  • improves traceability
  • works better with SPF/DKIM/DMARC
  • usually better for contact forms and WooCommerce
  • easier to test and log

For business websites, WooCommerce and important forms, authenticated SMTP or transactional email is usually the better option.

WordPress SMTP setup

A WordPress SMTP plugin connects WordPress to a proper email sender.

Common SMTP options:

  • hosting provider mailbox
  • Google Workspace SMTP
  • Microsoft 365 SMTP
  • Zoho SMTP
  • transactional email provider
  • SMTP relay service
  • mail server on VPS if configured correctly

Setup usually needs:

  • SMTP host
  • SMTP port
  • encryption method
  • username
  • password or app password
  • From email
  • From name
  • Reply-To settings
  • test email
  • email log if supported

Use the exact SMTP settings from the email provider. Guessing ports, encryption or credentials can cause silent delivery failures.

SPF for WordPress

SPF tells receivers which servers are allowed to send mail for your domain.

If WordPress sends through your hosting server, SPF must authorize the hosting mail system.

If WordPress sends through Google, Microsoft, Zoho or a transactional provider, SPF must authorize that provider.

Example SPF
v=spf1 include:_spf.examplemail.com ~all

A domain should normally have only one SPF TXT record. If you use multiple senders, merge them into one SPF record.

DKIM for WordPress

DKIM signs outgoing mail so receiving systems can verify that the message was authorized and not modified.

DKIM is usually configured in:

  • email hosting provider
  • transactional email provider
  • SMTP relay provider
  • control panel email deliverability section
  • mail server software

WordPress itself usually does not create DKIM DNS records. The mail provider gives you a DKIM selector and DNS value to publish.

DMARC for WordPress

DMARC helps receivers decide what to do when SPF or DKIM alignment fails. It also allows reporting.

Starter DMARC example
v=DMARC1; p=none; rua=mailto:dmarc@example.com

Start with p=none while testing. Move toward quarantine or reject only after legitimate mail sources pass SPF/DKIM alignment.

MX records and WordPress

MX records control where incoming mail for your domain is delivered.

Important:

  • MX records do not directly control WordPress sending
  • MX records matter for receiving replies
  • MX records must point to your active email provider
  • website migration should not change MX unless email is moving
  • contact forms should send to addresses that actually receive mail

If your website is hosted on one provider and email is hosted elsewhere, keep MX records pointed to the email provider.

From and Reply-To best practice

Contact forms often fail because they use the visitor’s email as the From address.

Bad vs good contact form setup
Bad setup:
From: visitor@gmail.com
Sent by: your WordPress hosting server

Problem:
Your server is not authorized to send mail for gmail.com, so SPF/DMARC may fail.

Good setup:
From: Website <no-reply@example.com>
Reply-To: Visitor Name <visitor@gmail.com>

Use an address on your own domain as the From address. Put the visitor’s email in Reply-To so replies still go to the visitor.

WooCommerce email notes

WooCommerce emails are often business-critical.

Important WooCommerce emails:

  • new order
  • processing order
  • completed order
  • failed order
  • refunded order
  • customer invoice
  • password reset
  • new account
  • shipping notifications

Best practices:

  • use authenticated SMTP or transactional email
  • test order emails after setup
  • monitor failed emails
  • avoid spam-like subject lines
  • keep branding consistent
  • do not send from unauthenticated addresses
  • check SPF/DKIM/DMARC
  • keep email templates clean
  • test on Gmail, Outlook and business mailbox

For stores, email delivery is part of revenue. Order and password reset emails should not depend on unreliable PHP mail.

Why this matters

Why this matters

WordPress email matters because missed messages can mean lost leads, missed orders, failed password resets, angry customers and broken admin workflows. A website can look healthy while its email quietly fails.

DNS authentication helps receiving mail systems trust that WordPress is allowed to send on behalf of your domain.

How to check WordPress email DNS

Use Domain Health Checker and email-specific tools to review DNS and authentication.

  1. MX records — Confirm replies and mailbox delivery go to the right provider.
  2. SPF — Confirm the SMTP or transactional provider is authorized.
  3. DKIM — Confirm the DKIM selector is published.
  4. DMARC — Confirm DMARC exists and policy is appropriate.
  5. Sending method — Confirm WordPress uses SMTP/API instead of unreliable local mail.
  6. From address — Confirm From uses your domain.
  7. Reply-To — Confirm visitor email is used as Reply-To where appropriate.
  8. Test headers — Send a real test and check SPF, DKIM and DMARC results.

Check WordPress email DNS

Use Domain Health Checker to review MX, SPF, DKIM, DMARC and related domain signals for WordPress email delivery.

Run Domain Health Check →

Common problems

Default PHP mail used

Medium

WordPress sends through local server mail without reliable authentication.

Next step: Configure authenticated SMTP or a transactional provider.

SPF does not include sender

Medium

The SMTP provider or hosting server is not authorized in SPF.

Next step: Update SPF to include the real sending service.

DKIM missing

Medium

Outgoing messages are not signed.

Next step: Enable DKIM in the mail provider and publish the DNS record.

DMARC alignment fails

Medium

From domain does not align with SPF or DKIM authenticated domain.

Next step: Use a proper domain sender and verify alignment.

Contact form spoofs visitor email

Medium

The form uses the visitor’s email as From.

Next step: Use your domain as From and visitor email as Reply-To.

WooCommerce emails go to spam

High

Important order emails are not trusted or look spam-like.

Next step: Use transactional email and verify SPF/DKIM/DMARC.

WordPress sends too many emails

Medium

Plugin notifications, alerts or spam submissions create volume spikes.

Next step: Limit notifications and protect forms from spam.

Shared hosting mail limit reached

Medium

Provider hourly/daily sending limits are exceeded.

Next step: Reduce sending or use transactional email.

MX points to wrong provider

High

Replies or incoming mail go to the wrong mail server.

Next step: Restore MX records from the active email provider.

Domain or IP blacklisted

High

Mail may be rejected or placed in spam.

Next step: Fix the sending source, secure WordPress and check blacklist status.

How to improve WordPress email delivery

  1. Step 1: Identify current sending method

    Check whether WordPress uses PHP mail, SMTP or an external provider.

  2. Step 2: Choose reliable sender

    Use hosting SMTP, business email SMTP or a transactional email provider.

  3. Step 3: Configure SMTP plugin

    Add SMTP host, port, encryption, credentials, From address and test email.

  4. Step 4: Fix SPF

    Authorize the real sender in one SPF record.

  5. Step 5: Enable DKIM

    Publish the DKIM record from your mail or transactional provider.

  6. Step 6: Add DMARC

    Start with monitoring and verify legitimate mail passes.

  7. Step 7: Fix form sender settings

    Use your domain as From and visitor email as Reply-To.

  8. Step 8: Test WooCommerce and forms

    Send real test emails and check headers.

  9. Step 9: Monitor bounces

    Review failed delivery, logs and provider reports.

  10. Step 10: Protect WordPress

    Reduce spam submissions, update plugins and secure admin access.

Good WordPress email setup

Good WordPress email setup
Recommended setup:

WordPress sends through:
Authenticated SMTP or transactional email provider

From:
Website Name <no-reply@example.com>

Reply-To for contact forms:
Visitor Name <visitor@example.net>

SPF:
Authorizes the SMTP/transactional provider

DKIM:
Enabled and passing

DMARC:
Published and monitored

MX:
Points to the active mailbox provider

Result:
WordPress messages are sent from an authenticated domain and replies still work.

When to use transactional email

Transactional email is recommended when WordPress sends important automated messages.

Use transactional email for:

  • WooCommerce order emails
  • invoices
  • password resets
  • booking confirmations
  • membership emails
  • user onboarding
  • form confirmations
  • account notifications
  • high-volume website notifications

Benefits:

  • better sending infrastructure
  • logs and delivery events
  • bounce tracking
  • domain authentication
  • API/SMTP support
  • higher reliability than local PHP mail
  • easier troubleshooting

Transactional email is usually better than shared hosting mail for business-critical WordPress messages.

WordPress email testing checklist

WordPress email testing checklist

Use this checklist after configuring WordPress SMTP and DNS records.

SMTP plugin connected

Confirm the plugin connects to the mail provider.

Test email sends successfully

Send a test message from the SMTP plugin.

Contact form sends to correct mailbox

Submit a real form and confirm delivery.

From address uses your domain

Avoid visitor or third-party domains as From.

Reply-To uses visitor email

Set visitor address in Reply-To for contact forms.

SPF passes

Confirm SPF authorizes the real sender.

DKIM passes

Confirm DKIM signature verifies.

DMARC passes or aligns

Check DMARC result on test messages.

WooCommerce order email sends

Place a test order and confirm delivery.

Password reset email sends

Test account recovery email flow.

Emails reach Gmail/Outlook/business mailbox

Test major mailbox providers.

Spam folder checked

Review spam placement after setup.

Bounce logs reviewed

Check provider or plugin bounce reports.

Form spam protection enabled

Use CAPTCHA or anti-spam controls.

Old PHP mail method disabled if replaced

Ensure WordPress uses the new sender.

Useful DNS and email checks

Useful DNS and email checks
Check MX:
dig example.com MX

Check SPF:
dig example.com TXT

Check DMARC:
dig _dmarc.example.com TXT

Check DKIM selector:
dig selector._domainkey.example.com TXT

Check website status:
curl -I https://example.com

Header checks after test email:
SPF: pass
DKIM: pass
DMARC: pass
From: no-reply@example.com
Reply-To: visitor@example.net

Commands are examples. Replace example.com and selector with your real domain and DKIM selector.

Frequently asked questions

Why does WordPress email go to spam?

Common causes include PHP mail, missing SPF, missing DKIM, DMARC alignment failure, shared IP reputation or spam-like content.

Should WordPress use SMTP?

Yes, for most business sites. Authenticated SMTP is usually more reliable than default PHP mail.

What From address should contact forms use?

Use an address on your own domain, such as no-reply@example.com. Put the visitor email in Reply-To.

Do MX records control WordPress sending?

Not directly. MX controls incoming mail, but it still matters for replies and mailbox delivery.

Do I need SPF, DKIM and DMARC?

Yes. They help receiving mail systems verify that messages from your domain are legitimate.

Is transactional email better for WooCommerce?

Usually yes. Order emails, password resets and invoices should use reliable authenticated sending.

Can a plugin alone fix deliverability?

Not fully. The plugin must send through a properly authenticated provider, and DNS must be correct.

Use these free tools to verify your configuration after applying changes.

Browse all Hosting & VPS guides →

Need help applying this fix?

Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.

Get Help Run Domain Health Check

Was this guide helpful?

Your feedback helps us improve our guides for everyone.