Your WordPress site looks great. Your contact form looks great. A visitor submits it, the form says “Thanks, we’ll be in touch!” — and the notification email never arrives in your inbox. Or it arrives in spam. Or it arrives three hours late, after the lead has already moved on.
You’re not unlucky. WordPress email is broken by default — and most fixes only solve half of the problem. Here’s why, and how to fix it for good.
Why wp_mail() emails go to spam
WordPress’s built-in wp_mail() function is a thin wrapper around PHP’s mail() function. By default, when your site sends an email, three things happen that almost guarantee delivery problems:
1. The “From” address fails SPF
Out of the box, WordPress sends from wordpress@yourhost.com (where yourhost.com is your hosting provider’s server hostname — not your real domain). When Gmail or Outlook receive this message, they check whether your hosting provider is authorized to send mail for that domain. It usually isn’t. SPF check fails. Message goes to spam.
2. There’s no DKIM signature
Modern mail servers expect every legitimate email to be cryptographically signed with DKIM. PHP’s default mail() function doesn’t sign anything. Even if SPF passes, the lack of DKIM signature is a strong spam signal to Gmail and Outlook.
3. DMARC alignment is impossible
Even if you manually set the From address to your real domain, the underlying sending IP is your shared hosting server — which has zero relationship with your domain. DMARC checks fail. Gmail silently drops the message.
The shared-host nightmare
Diagnose your WordPress delivery problem
Run these four checks in order:
1. Submit your contact form, password reset, or test order
Use a Gmail address you control. Wait 5 minutes. Check inbox AND spam folder. If it’s in spam, you have an SPF/DKIM/DMARC problem. If it’s missing entirely, you have a delivery problem.
2. Check your site’s mail log
Most WordPress sites don’t log outbound mail by default. If you have any SMTP / mail plugin installed (WP Mail SMTP, FluentSMTP, SecureSMTP), check its log for the recent send. Status should be “Delivered.” If status is “Failed,” the message never left your server.
3. Run a mail-tester.com diagnostic
Go to mail-tester.com (free, no signup). Send a test message from your WordPress site to the address they give you. Read the report. A score below 7/10 explains the problem.
4. Check the “From” address being used
Send yourself a test email and inspect the headers. Look for theFrom: line. If it says wordpress@your-host-server-name.com instead of your real domain, that’s your problem in one line.
Three ways to fix WordPress email
Option 1: Configure SPF + DKIM manually (free, complex)
You can configure your hosting provider’s mail server to send from your real domain with proper SPF/DKIM/DMARC. This usually requires support tickets to your host, DNS record changes, and constant babysitting when records expire or get reset.
Pros: Free.
Cons: Most shared hosts don’t let you do this. Even on managed hosts, you’ll spend 4–8 hours setting it up and another 1–2 hours per month maintaining it. And it only fixes one site.
Option 2: Install an SMTP plugin + sign up for a mail service
Install WP Mail SMTP or FluentSMTP, then sign up for SendGrid / Mailgun / Brevo / SES, configure DKIM on the mail service side, paste credentials into the SMTP plugin, watch for quota errors and reputation problems.
Pros: Works reasonably well.
Cons: Two services to manage (the SMTP plugin and the mail provider). DKIM setup is non-trivial. Each provider has different quota tiers, billing, and dashboards. Total setup time: 2–4 hours for someone who’s done it before; a full afternoon for first-timers.
Option 3: Install the SecureSMTP plugin (5 minutes, recommended)
One plugin. One signup. Done. SecureSMTP combines the SMTP routing layer and the authenticated mail service in a single workflow — no third-party SMTP provider to configure, no DNS gymnastics required if you accept the zero-config sender.
Recommended: SecureSMTP plugin setup (5 minutes)
- Sign up free at securessmtp.com/signup — 100 emails/month included, no card required.
- Dashboard → API keys → Create. Copy the key.
- WordPress Admin → Plugins → Add New → Upload Plugin → upload the SecureSMTP plugin .zip.
- Activate → Settings → SecureSMTP → paste the API key → Save and test connection.
- You should see a green “Connected” status and a successful test send.
That’s it. From this moment, every email your WordPress site sends — contact form notifications, password resets, WooCommerce order confirmations, comment notifications, plugin updates — flows through SecureSMTP’s authenticated infrastructure with SPF + DKIM + DMARC alignment.
Want to send from your custom domain?
yourdomain.com. Copy the 2 DNS records we generate (1 TXT for SPF, 1 CNAME for DKIM), paste them into your DNS provider, click Verify. From then on, every email sends fromnoreply@yourdomain.com — fully authenticated.Verify it’s working
- Run mail-tester.com again. Score should jump to 9+/10.
- Send yourself a test order/form submission. Should arrive in inbox within 30 seconds.
- Check the plugin Mail Log. Status: Delivered. Bounce: 0. Open: 1 (if you opened the email).
- Check Gmail’s “Show original” on the test email. SPF: pass. DKIM: pass. DMARC: pass.
wp_mail() vs SMTP plugins vs SecureSMTP
| Feature | wp_mail() default | WP Mail SMTP + SendGrid | SecureSMTP plugin |
|---|---|---|---|
| Setup time | 0 min | 2–4 hours | 5 minutes |
| DKIM signing | No | Manual config | Automatic |
| Mail log | No | Limited | Full per-plugin breakdown |
| Spam classifier | No | No | AI scoring on every send |
| Hosted forms | No | No | Yes |
| Webhook events | No | No | Real-time |
| Cost | Free (broken) | $0–$15/mo | Free / $7/mo |
| Services to manage | 0 | 2 | 1 |
Frequently asked questions
Does this work on any WordPress host (managed, shared, VPS)?+
Yes. SecureSMTP routes outbound mail through the SecureSMTP API, bypassing your host's PHP mail() function entirely. Whether you're on Bluehost shared, WP Engine managed, Kinsta, Cloudways, a Hetzner VPS, or self-hosted on a Raspberry Pi — the plugin behaves identically. No host-level config required.
What about WP Mail SMTP, FluentSMTP, and other SMTP plugins?+
They solve a different layer of the problem. WP Mail SMTP and FluentSMTP route mail through SMTP services like SendGrid, Brevo, or Mailgun — you still have to set up an account with those services, configure DKIM, manage IP reputation, and watch quotas. SecureSMTP is a single drop-in plugin: install it, paste an API key, done. No third-party SMTP service to configure, no DNS setup beyond what your SecureSMTP dashboard guides you through.
Will my WooCommerce / Gravity Forms / WPForms emails work too?+
Yes. SecureSMTP intercepts every call to wp_mail() at the WordPress core level. That means WooCommerce order confirmations, Gravity Forms / WPForms / Forminator / Contact Form 7 / Elementor Forms notifications, password reset emails, comment notifications, plugin update notifications — every single email WordPress sends goes through SecureSMTP automatically. No per-plugin configuration.
What if the plugin or SecureSMTP API has an outage?+
The plugin falls back to WordPress's default wp_mail() handler automatically. Your customer's order confirmation still gets sent — it just goes through the old (less reliable) path during the outage. The plugin retries via SecureSMTP automatically when the API is reachable again. You'll see fallback events in the plugin's Mail Log so you know exactly what happened.
Do I need to set up SPF, DKIM, and DMARC records myself?+
Only if you want mail to send from your custom domain (recommended). If you're fine with our zero-config sender (noreply@send.securessmtp.com), no DNS changes are needed and you can be sending in under 60 seconds. For custom domain sending, the dashboard generates the exact DNS records you need — copy/paste 2 records into your DNS provider and you're done.
How is this different from just adding DKIM to my domain?+
DKIM only helps if WordPress's mail server is also allowed to sign for your domain. Most shared hosts don't expose DKIM configuration at the PHP mail() layer, so even if you add DKIM records, your wp_mail() emails won't be signed correctly. SecureSMTP's sending infrastructure is configured to sign every send with your domain's DKIM key, so authentication works regardless of how your host is configured.
Can I see which plugin/form sent which email?+
Yes. The Mail Log in your WordPress admin shows every wp_mail() call: which plugin triggered it, recipient, subject, body, status (sent/delivered/bounced/complained), and timestamps. Filter by plugin name to see "all emails from WooCommerce in the last 30 days" or "all password reset emails" instantly. The SecureSMTP cloud dashboard mirrors this with cross-site analytics if you run multiple WordPress installs.
Ready to fix it?