WordPress Email Deliverability: Why Your Emails Go to Spam and How to Fix It

WordPress sends emails constantly: contact form submissions, WooCommerce order confirmations, password resets, new user notifications, admin alerts. If these emails are going to spam — or not arriving at all — you have an email deliverability problem. Here's why it happens and how to fix it permanently.

Why WordPress Emails Fail to Deliver

By default, WordPress sends email using PHP's mail() function. This calls the local mail server (Sendmail or Postfix) on your hosting server, which then attempts to deliver the email directly to the recipient's mail server.

The problem: this mechanism has no authentication. The email arrives at Gmail or Outlook claiming to be from info@yoursite.com, but it comes from an IP address that has no cryptographic proof that it's authorized to send email for yoursite.com. Modern spam filters treat this as suspicious.

Specific failure reasons:

No SPF record: SPF (Sender Policy Framework) lists which IP addresses are authorized to send email for your domain. If your hosting server's IP isn't in your SPF record — and it usually isn't, because you didn't add it — receiving mail servers see the email as potentially spoofed.

No DKIM signature: DKIM (DomainKeys Identified Mail) adds a cryptographic signature to each email that proves it was sent by an authorized server. PHP's mail() doesn't add DKIM signatures by default. Without DKIM, your email is unverified.

No DMARC policy: DMARC ties SPF and DKIM together with a policy telling receiving servers what to do with emails that fail authentication. Without DMARC, there's no policy — emails that fail SPF/DKIM may or may not be delivered, depending on the receiving server's judgment.

Shared IP reputation: On shared hosting, many sites share the same outbound IP address. If any of those sites sends spam, the shared IP gets a poor reputation. Your legitimate transactional emails inherit that bad reputation and go to spam.

Reverse DNS mismatch: The IP address your server sends from should have a reverse DNS record that matches your domain. Shared hosting often fails this check.

The Solution: Authenticated SMTP

Stop using PHP's mail() function. Route all WordPress email through an authenticated SMTP service that handles SPF, DKIM, and DMARC correctly.

Your options:

Mailgun (Recommended for High Volume)

Mailgun is built for transactional email — order confirmations, password resets, notifications. The free tier handles 1,000 emails/month. Paid plans start at $35/month for 50,000 emails.

Setup:
1. Create Mailgun account
2. Add and verify your domain
3. Mailgun generates DKIM keys and gives you DNS records to add
4. Add the DNS records at your domain registrar (takes up to 48 hours to propagate)
5. Configure WP Mail SMTP with Mailgun API credentials

SendGrid (Good for High Volume)

SendGrid is similar to Mailgun. Free tier: 100 emails/day. Paid from $20/month.

The SendGrid WordPress plugin integrates directly without needing WP Mail SMTP.

Amazon SES (Cheapest at Scale)

Amazon SES costs $0.10 per 1,000 emails — the cheapest option at volume. Requires more setup and starts in "sandbox mode" that restricts who you can email until you request production access.

Postmark (Best Deliverability for Transactional Email)

Postmark specializes in transactional email with a focus on deliverability. More expensive ($15/month for 10,000 emails) but consistently excellent inbox placement rates.

Google Workspace SMTP (Simple but Limited)

If you use Google Workspace for business email, you can send WordPress emails through Gmail's SMTP servers. Free with your Google Workspace subscription. Limits: 2,000 emails/day, no API — uses SMTP auth.

Not recommended for WooCommerce stores with high order volume. Fine for small sites with mostly contact form email.

Installing and Configuring WP Mail SMTP

WP Mail SMTP is the standard WordPress plugin for routing email through external providers. Install it from the WordPress plugin directory.

Configuration for Mailgun

Mailer: Mailgun
Domain: yoursite.com
Private API Key: (from Mailgun dashboard)
Send From Email: noreply@yoursite.com
Send From Name: Your Site Name

Configuration for SendGrid

Mailer: SendGrid
API Key: (from SendGrid dashboard, needs Mail Send permission)
Send From Email: noreply@yoursite.com
Send From Name: Your Site Name

Configuration for Generic SMTP

If your provider isn't in WP Mail SMTP's supported list:

Mailer: Other SMTP
SMTP Host: smtp.yourprovider.com
Encryption: TLS
SMTP Port: 587
Authentication: On
SMTP Username: your-smtp-username
SMTP Password: your-smtp-password
Send From Email: noreply@yoursite.com

After configuring, use WP Mail SMTP's built-in Email Test to send a test message and verify delivery.

DNS Configuration: SPF, DKIM, DMARC

These three DNS records are the foundation of email authentication. You configure them at your domain registrar's DNS settings.

SPF Record

SPF specifies which servers are allowed to send email for your domain.

If you're sending only through Mailgun:

TXT record: v=spf1 include:mailgun.org ~all

If you're also sending from Google Workspace:

TXT record: v=spf1 include:mailgun.org include:_spf.google.com ~all

If you're sending from multiple services:

TXT record: v=spf1 include:mailgun.org include:_spf.google.com include:sendgrid.net ~all

Rules:
- Only one SPF record per domain (multiple SPF records cause failures)
- -all (hard fail) is stricter than ~all (soft fail) — use ~all until you're confident all legitimate sending sources are listed
- SPF has a 10-lookup limit — using many include: statements can exceed this

DKIM Record

DKIM adds a cryptographic signature to outgoing emails. Each email service generates a DKIM key pair and gives you the public key to add as a DNS record.

Mailgun provides a DKIM record that looks like:

Name: mailo._domainkey.yoursite.com
Type: TXT
Value: k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GN...

Add exactly what your email service provides. The _domainkey subdomain is standard; the prefix (e.g., mailo) is specific to the service.

Verify DKIM is working with a tool like mail-tester.com or MXToolbox's DKIM checker.

DMARC Record

DMARC tells receiving servers what to do when emails fail SPF/DKIM checks. Start with a monitoring-only policy, then tighten it once you've verified all legitimate sending is authenticated.

Start here (monitoring only, no email blocked):

Name: _dmarc.yoursite.com
Type: TXT
Value: v=DMARC1; p=none; rua=mailto:dmarc@yoursite.com

rua=mailto:dmarc@yoursite.com sends aggregate reports to that address. These reports show who is sending email claiming to be from your domain — useful for finding unauthenticated senders.

After reviewing reports and confirming all legitimate email is authenticated, move to quarantine:

v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@yoursite.com

p=quarantine sends failing emails to spam instead of blocking. pct=25 applies the policy to 25% of failing emails — a gradual rollout.

Once confident, move to reject:

v=DMARC1; p=reject; rua=mailto:dmarc@yoursite.com

p=reject tells receiving servers to discard emails that fail DMARC authentication. This is the final goal — it completely blocks email spoofing of your domain.

WooCommerce Email Configuration

WooCommerce sends several email types that need to work reliably:

• New order (to store owner)
• Processing order (to customer)
• Completed order (to customer)
• Refund (to customer)
• Password reset (to customer)
• New customer registration

Each email type is configurable under WooCommerce → Settings → Emails.

Important settings:

"From" email address: Should match an address on your authenticated domain. Using a Gmail address as the "From" while sending through a different SMTP server causes DMARC failures.

From: orders@yoursite.com    # Correct — matches your domain
From: yourname@gmail.com      # Wrong — causes DMARC issues if sending via Mailgun

Reply-To: Can be a different address. If you want replies to go to a Gmail inbox, set Reply-To to your Gmail without using it as the From address.

Testing WooCommerce Emails

Install the WooCommerce Email Test plugin or use WP Mail SMTP's email log to verify:

1. Place a test order (use WooCommerce's "order by cheque" to avoid payment)
2. Check that the customer order confirmation arrived in inbox (not spam)
3. Check that the admin new order notification arrived
4. Use mail-tester.com to check your spam score before sending real orders

Diagnosing Email Delivery Problems

Email not sending at all

Check WP Mail SMTP's email log (requires Pro, or use the free Email Log plugin). If there's no record of the email being sent, the problem is in WordPress — a plugin not calling wp_mail(), a fatal PHP error during sending, or WP Mail SMTP misconfiguration.

Check PHP error log for SMTP connection errors:

# Via SSH
tail -f /var/log/php-fpm/error.log | grep mail

Email sending but going to spam

Run your email through mail-tester.com: send an email to the address they provide, then check your score. The report shows exactly which checks failed.

Common causes:
- SPF record missing or incorrect
- DKIM not configured
- Sending from an IP with poor reputation (switch to API-based sending instead of SMTP)
- Email content triggering spam filters (check for spammy phrases)

Emails arriving but images broken

WordPress email images reference your domain. If Cloudflare or a CDN is doing image optimization, images in emails may not load correctly. Use absolute URLs for images in email templates and ensure they're accessible without authentication.

WooCommerce order emails not sending

Most commonly caused by:
1. WordPress's default mail() failing silently — install WP Mail SMTP and configure a real SMTP provider
2. The "New order" email is disabled in WooCommerce → Settings → Emails
3. A plugin conflict intercepting wp_mail() — deactivate plugins one by one to identify

Transactional vs Marketing Email

Keep transactional email (order confirmations, password resets, account notifications) separate from marketing email (newsletters, promotional campaigns).

Mixing them on the same IP/domain means that if your newsletter gets flagged as spam, your order confirmation emails suffer. Most SMTP providers support this separation:

• Mailgun: separate domain streams for transactional vs marketing
• SendGrid: separate IP addresses and subdomains
• Postmark: separate message streams

For newsletters and marketing, use a dedicated platform (Mailchimp, Klaviyo, ActiveCampaign) rather than sending through the same SMTP service as your transactional email. They manage list hygiene, unsubscribes, and deliverability at scale.

The Complete Email Checklist

• [ ] WP Mail SMTP installed and configured with an authenticated SMTP provider
• [ ] SPF record added to DNS for your domain
• [ ] DKIM keys generated by your SMTP provider, DNS records added
• [ ] DMARC record added (start with p=none, move to p=reject after verification)
• [ ] WooCommerce "From" address uses your domain, not Gmail
• [ ] Email test sent and received in inbox (not spam)
• [ ] mail-tester.com score above 9/10
• [ ] WooCommerce order confirmation email tested end-to-end
• [ ] Contact form email tested
• [ ] Password reset email tested

Getting email deliverability right is a one-time setup that prevents an ongoing problem. Customers who don't receive their order confirmation email contact support. Customers who don't receive password reset emails can't log back in. Fixing this takes an hour and eliminates an entire category of customer service friction.