Email deliverability: the practical checklist for WordPress sites

How to get transactional and marketing emails reliably into inboxes — SPF, DKIM, DMARC, list hygiene, and the hosting mistakes that break everything.

Most email deliverability problems on WordPress sites come from a small number of causes: wrong sending infrastructure, missing authentication records, or sending reputation damage. Here is the complete checklist.

The foundation: proper email authentication

Before sending anything, set up the three authentication records in DNS. Without these, your email goes to spam regardless of how good your content is.

SPF (Sender Policy Framework)

SPF specifies which mail servers are allowed to send email for your domain.

v=spf1 include:_spf.your-mail-provider.com ~all

Common mistakes:

Forgetting to include your web server when it sends email
Using ~all (softfail) instead of +all — +all means “only these servers” and anything else is hard fail
Having multiple SPF records (there can be only one)

DKIM (DomainKeys Identified Mail)

DKIM attaches a cryptographic signature to outgoing email. Your mail server signs with a private key; the receiving server verifies with the public key published in DNS.

Most transactional email providers (Postmark, Mailgun, SendGrid) give you the DKIM record to add. Set it up before sending anything.

DMARC (Domain-based Message Authentication, Reporting & Conformance)

DMARC tells receivers what to do with email that fails SPF or DKIM.

Start with:

v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com

This generates reports without affecting delivery. Once you are sending authenticated email reliably, change p=none to p=quarantine then p=reject.

WordPress email sending options

Default PHP mail()

wp_mail() uses PHP’s mail() function by default, which routes through the server’s local mail transfer agent (MTA). This is the worst option for deliverability:

Shared IP reputation is unpredictable
No authentication headers
Easy to mark as spam

Never use PHP mail() for anything that matters.

SMTP plugins (FluentSMTP, WP Mail SMTP)

These route WordPress email through a proper SMTP service with authentication. This is the minimum acceptable approach.

Free SMTP services worth considering:

Postmark — strict sending policies, excellent deliverability, charges per email
Amazon SES — cheapest professional option, requires some setup
Mailgun — generous free tier, good deliverability
SendGrid — free tier is marketing-focused, not great for transactional

What to avoid

SendGrid’s free tier has daily sending limits that break WooCommerce order emails during sales events
Any service that does not support SPF/DKIM properly
Your hosting provider’s shared SMTP relay if you are on shared hosting

List hygiene: the most ignored deliverability factor

If you send marketing or newsletter emails, your list quality determines your deliverability more than any DNS record.

Rules:

Remove hard bounces immediately (a second send to a bouncing address damages reputation)
Authenticate list signups (double opt-in is the gold standard)
Remove inactive subscribers quarterly — sending to people who never open drags down engagement metrics
Never buy email lists — you inherit their spam-trap addresses and terrible reputation

WooCommerce-specific email issues

WooCommerce sends transactional emails (order confirmation, password reset, shipping notifications) via whatever WordPress is configured to use. Common failure modes:

Server IP is on a blocklist — shared hosting IPs get blacklisted constantly
From address mismatch — if the From domain does not match your SPF/DKIM, receivers may reject it
Missing template headers — custom WooCommerce email templates sometimes omit the MIME headers that authentication requires
Cron not running — WooCommerce uses WP cron for some email queuing. If cron is broken, emails queue and then send in a burst that looks like a spam spike

Fix:

# Check WooCommerce email queue
wp eval 'var_dump(\Automattic\WooCommerce\Utilities\OrderUtil::get_instance()->get_orders([...]));'

# Force process the email queue (if a plugin supports it)
# Or ensure WP cron is running
wp cron event list --upcoming

Testing your deliverability

mail-tester.com — send a test email to their address and get a score
ssllabs.com/ssltest — check your domain’s email security setup
mxtoolbox.com/blacklists — check if your server IP is on any blocklists
postmaster.google.com — Google Postmaster Tools for Gmail deliverability data

The deliverability hierarchy

Use a dedicated transactional email service (Postmark, Amazon SES)
Set up SPF, DKIM, DMARC correctly
Send from a consistent domain and IP
Monitor your sending reputation
Never use your hosting provider’s shared SMTP for high-volume sending

If you are on shared hosting and transactional emails are failing, the answer is not to tweak DNS — it is to move email sending to a specialist service.