A client messaged me last year convinced her new site was “broken” because nobody was filling out her contact form. The form was fine. The emails were firing every time. They were just landing in her Gmail spam folder, or not arriving at all. This is one of the most common issues I run into after 10+ years of building WordPress sites and handling 950+ Fiverr client projects, and almost nobody notices until they’ve already lost leads.
If your WordPress emails are going to spam, or your contact form seems to work but nothing ever shows up in your inbox, the cause is almost always the same thing: WordPress’s default mail system. Here’s what’s actually happening and how to fix it for good.
Why WordPress Emails Go to Spam in the First Place
By default, WordPress sends every email, contact form notifications, password resets, WooCommerce order confirmations, through PHP’s built-in mail() function. That function has no authentication attached to it. It just hands the message to your server and hopes for the best.
Gmail, Outlook, and Yahoo don’t trust unauthenticated mail anymore. They want proof the email actually came from your domain, not someone spoofing it. Without that proof, your message either gets dumped straight into spam or silently dropped before it even reaches an inbox. Some hosts also throttle or block mail() entirely, which is why it can look like the form “randomly” stops working.
I’ve audited enough client sites to say this confidently: if you’ve never touched your site’s email setup, there’s a good chance it’s running on unauthenticated PHP mail right now.
The Real Fix: Stop Using PHP Mail, Start Using SMTP
The fix isn’t a spam-folder trick or a plugin setting buried three menus deep. It’s switching your site from PHP mail to SMTP, which sends email through an authenticated provider instead of your bare server. This is the single change that fixes 90% of “WordPress emails going to spam” cases I’ve seen.
How to set up SMTP on WordPress
- Install a free SMTP plugin like WP Mail SMTP or FluentSMTP.
- Pick a transactional email provider. For most small business sites, Brevo or SMTP.com work well and have generous free tiers.
- Create an account with that provider and grab the SMTP credentials (host, port, username, API key).
- Enter those credentials into the plugin’s setup wizard.
- Send a test email from the plugin’s dashboard and confirm it lands in your inbox, not spam.
That’s it. Fifteen minutes of setup, and every email your site sends now goes out authenticated. If you’re still relying on Contact Form 7’s default mail handling, this is also a good moment to check out our breakdown of Contact Form 7 alternatives, since some of the newer form plugins handle email deliverability far better out of the box.
Fixing the “From” Address Spoofing Problem
Here’s a specific issue I see constantly with contact forms: by default, plugins like Contact Form 7 set the “From” address to whatever email the visitor typed into the form. So if someone named John submits your form, the email technically claims to be “from” John’s Gmail address, sent through your server. Gmail and Outlook recognize that as spoofing and bounce or spam-flag it immediately.
The fix is simple: set the “From” address to an email on your own domain (like noreply@yourdomain.com), and put the visitor’s email in the “Reply-To” field instead. You’ll still be able to hit reply and respond directly to them, but the email itself is honestly authenticated as coming from your domain, which is exactly what inbox providers want to see.
SPF, DKIM, and DMARC: The DNS Records That Actually Matter
SMTP gets you most of the way there, but for full deliverability you also want three DNS records set up on your domain:
- SPF tells inbox providers which servers are allowed to send email on behalf of your domain.
- DKIM attaches a digital signature to your emails so providers can verify they weren’t tampered with.
- DMARC tells inbox providers what to do with email that fails SPF or DKIM checks.
Your SMTP provider will give you the exact record values to add. You just paste them into your domain’s DNS settings. If your domain is proxied through Cloudflare, which I recommend for most sites, check out my guide to setting up Cloudflare for WordPress for how DNS records work there without breaking anything else on your site.
Most SMTP providers walk you through adding these automatically, and it usually takes under 10 minutes once you’re in your DNS dashboard.
Quick Checklist Before You Call It Fixed
- SMTP plugin installed and connected to a real email provider, not PHP mail
- “From” address uses your own domain, not the visitor’s email
- SPF, DKIM, and DMARC records added to your domain’s DNS
- Test email sent and confirmed in the inbox, not spam
- Contact form tested with a real submission from a different email account
I run through this exact checklist on every new WordPress site I build, right alongside the other essentials I cover in my list of plugins I install on every new site. Email deliverability isn’t optional infrastructure, it’s the difference between getting a client’s inquiry and never knowing it existed.
Fix your email setup once, properly, and you stop wondering whether that “no submissions this week” is really true or just spam eating your leads.
Frequently Asked Questions
Most WordPress sites send email through PHP’s default mail() function, which has no authentication. Gmail, Outlook, and Yahoo flag unauthenticated mail as spam or block it outright. Switching to SMTP with a real email provider fixes this in most cases.
Usually one of three things: your host is blocking PHP mail, the “From” address is spoofing the visitor’s email and getting flagged, or the notification email in your form settings is wrong. Setting up SMTP and correcting the From/Reply-To fields resolves this for almost every site I’ve audited.
Yes. The free version of WP Mail SMTP (and alternatives like FluentSMTP) covers everything most small business sites need: connecting to a provider, sending authenticated email, and running test sends. You only need a paid plan if you’re sending very high email volumes.
They’re DNS records that prove your emails are genuinely coming from your domain and haven’t been tampered with. SMTP alone helps, but adding these records is what pushes your deliverability from “usually fine” to consistently landing in the inbox. Your SMTP provider will give you the exact values to add.
After setting up SMTP, send a test email from the plugin’s dashboard to a personal account, then also submit your live contact form from a different email address to confirm the full flow works, not just the plugin’s internal test.

Leave a Reply