Unfortunately, there are a lot of WordPress (and non-WordPress) sites on the internet that are sending emails in a way that has been left behind by the modern email-sending best-practices. The most common issue I’ve seen is that when a site sends an email (e.g: a contact/enquiry form submission, or confirmation email as a result of an interaction with the site), it only spoofs the send-as email address. This means that the email being sent has a forged sender address, and will likely be marked as spam by modern spam filters.

This article will cover some of the ways email spoofing can be used, and how to avoid the need to spoof emails being sent from your website using a real SMTP server, and SPF and DKIM in your domain’s DNS to declare that SMTP server as an authentic sender of emails for your domain.

Below are two different scenarios, in both of which spoofing occurs, however only the results of the first scenario is responsible for the development of spam filters’ sensitivity and attention to spoofing:

  1. An online phishing scammer attempts to trick a target into clicking a link in an email. This link leads to an unauthentic, yet realistic-looking online banking portal login form, which would be used by the scammer to collect and report the login details submitted. The email uses the bank’s corporate branding to look legitimate, and contains some kind of call-to-action – perhaps “password reset required”, or “log in to confirm a deposit from a new payer”. Another way a scammer may try to demonstrate the email’s legitimacy, is by spoofing the banking institution’s corporate domain to have the email appear to be sent from the bank (i.e: FROM:[email protected] as opposed to FROM:[email protected]).
  2. A barber shop has an appointment request facility on their website, which allows customers to request a booking by submitting a form containing the customer’s contact information, and their preferred appointment date/time. The website uses the name and email address the customer submitted in the booking form as the sender name and address. Using the customer’s name as the sender name may be handy when looking through a mailbox for past correspondence for a particular customer. Using the customer’s email address as the sender address would mean that responding to the customer’s enquiry could be done by simply clicking Reply. This use of the customer’s email address as a sender address is effectively spoofing, however not with any malicious intent.

Generally, as a web developer, most common would be something similar to the second scenario. It’s important that emails sent from your site are in-line with the modern email sending best-practices, to avoid spam filters on the receiving end falsely identifying the email as spam. Surprisingly, it can be easy to overlook these best-practice configurations with the mail() function PHP provides.

The best way of doing this, I’ve found, is to use an external SMTP service like Mailgun or SendGrid to handle the email sending for you. Both of these services have very reasonable free plans, which are ideal for the email traffic demands of small and growing websites. During the domain set-up process, both of these services have instructions and documentation on how to set up the DNS for your domain.

Both of the above SMTP services offer an API, however, a great way to get them integrated without the overhead of connecting to APIs is to use the WP Mail SMTP by WPForms WordPress plugin. This will hugely simplify the integration of one of these external SMTP services, and will make sure that any emails sent by WordPress (including system, user and password-reset emails), goes through the configured SMTP service, rather than the basic mail() function in PHP.


Leave a Reply

Your email address will not be published. Required fields are marked *