For years, website owners treated email as an afterthought. The contact form either sent or it did not. That is no longer good enough. In 2026, email deliverability is a first-class hosting concern with real business consequences.

What changed

Major providers tightened authentication requirements

Google and Yahoo implemented stricter email authentication requirements in early 2024. As of 2026, these are fully enforced:

  • SPF — Sending IP must be authorised in the domain’s SPF record
  • DKIM — Messages must be signed with a valid DKIM key
  • DMARC — Domain must have at least a p=none DMARC policy
  • One-click unsubscribe — Bulk senders must support list-unsubscribe headers
  • Spam rate threshold — Must stay below 0.3% (Google’s published threshold)

Mail that fails these checks is increasingly routed to spam, silently dropped, or bounced. For ecommerce sites sending order confirmations, password resets, and shipping notifications, this directly affects revenue.

Hosting migrations break email silently

The most common migration mistake remains changing web hosting and accidentally disturbing mail DNS. MX records get overwritten, SPF includes removed, DKIM selectors lost. The web team celebrates a successful migration while the client discovers three days later that no one received their contact form submissions.

WordPress mail defaults are unreliable

WordPress’s built-in wp_mail() function uses PHP’s mail(), which sends from the web server. Without proper SMTP routing:

  • Mail may be rejected for lacking SPF/DKIM alignment
  • The server’s IP may have poor reputation (common on shared hosting)
  • No tracking, no retry logic, no delivery confirmation
  • Contact form spam poisons the sending reputation

What every site needs now

1. Authenticated sending

RecordPurposeRisk if missing
SPFAuthorises sending IPsMail rejected or spammed
DKIMCryptographically signs messagesMail flagged as forged
DMARCTells receivers how to handle failuresNo visibility into abuse or delivery issues

2. Transactional email routing

Do not send from the web server. Use a transactional email service:

  • Postmark — Fast, developer-focused, excellent deliverability
  • SendGrid — Large free tier, good for high volume
  • Mailgun — Developer-friendly, good API
  • Amazon SES — Cheapest at scale, more setup work
  • Brevo (Sendinblue) — All-in-one with marketing features
  • SMTP2GO — Simple, good reporting, no marketing features

3. WordPress SMTP plugin

Install FluentSMTP (free, actively maintained) or Post SMTP. Configure it with your transactional email provider’s SMTP or API credentials. This replaces WordPress’s default mail() with authenticated sending.

4. Monitoring

  • Set up DMARC aggregate reports (rua=mailto:...)
  • Use Google Postmaster Tools (free for any domain sending to Gmail)
  • Monitor bounce rates in your email provider’s dashboard
  • Set up alerts if delivery rates drop below 95%

The launch and migration checklist

Every new site launch or migration should include:

  • SPF record includes all sending services
  • DKIM records added for each sending domain
  • DMARC record present (start with p=none)
  • WordPress SMTP plugin installed and configured
  • Contact form test (check spam folder)
  • Password reset test
  • Transactional email test (WooCommerce order, membership welcome, etc.)
  • DNS records exported and stored
  • Google Postmaster Tools domain verified
  • Test email to Gmail, Outlook, Yahoo, and a custom domain

Signs your email deliverability is broken

  • Contact form submissions stop arriving
  • Password reset emails never reach users
  • WooCommerce order confirmations go to spam
  • Users report not receiving email but it appears in your sent queue
  • DMARC reports show high failure rates
  • Blacklist checker shows your domain or IP on lists

Quick diagnostic commands

# Check SPF
dig TXT example.com +short | grep spf

# Check DKIM (common selectors)
dig TXT google._domainkey.example.com +short
dig TXT default._domainkey.example.com +short
dig TXT sg._domainkey.example.com +short

# Check DMARC
dig TXT _dmarc.example.com +short

# Check MX
dig MX example.com +short

# Test port 25 reachability
telnet smtp.example.com 587

Practical take

Email is part of hosting now. Treat it with the same level of attention as SSL certificates or database backups — it belongs in your checklist, your monitoring, and your incident response plan. A site that loads fast but cannot send password reset emails is half-broken.