Has your WordPress site ever sent an email which never arrived?
There’s a simple explanation for this – default WordPress websites aren’t correctly configured to send emails.
This includes your WordPress website. It also includes this WordPress site.
In this article we’ll outline the exact nature of the problem – WordPress email delivery – and our solution to it – SureSend.
Understanding WordPress Email Delivery Problems
Have you ever received email SPAM? You probably have, since 45% of all email is actually SPAM.
That’s a lot of SPAM! And there’s a good reason why SPAM is such a huge problem: because it’s easy to send emails, to anyone, from anywhere.
You don’t need a special, so-called “email server” to send an email. You can do it from practically any device connected to the internet.
Sending an email is really very easy.
But, sending an email with the correct signals that indicate to recipient mail servers that it’s a legitimate email is separate challenge entirely.
Let’s consider how email works with WordPress.
A WordPress website comes with PHP code that makes sending emails easy. You just plug-in the information for
email body, and off it goes to send the email.
Let’s say, for example, your site admin email address is set to
[email protected]. Then let’s say a user can’t login and requests a password reset. Your WordPress site will then try to send a password reset link to that user, saying that it’s coming from the sender above.
Before accepting the email from your WordPress site, the mailbox provider for that user will try to determine if the server trying to send the email (i.e. your WordPress site) is actually authorized to do so, for the
And typically, it isn’t authorized (unless you’ve made it so).
The recipient mail server can then decide how it wants to handle the email. It’ll normally take 1 of 3 paths:
- Accept the email regardless (not likely)
- Accept the email and flag it as SPAM
- Outright reject the email.
From the perspective of the recipient mail server, the following statement describes this scenario:
A completely random device on the internet is trying to send an email from the domain
shieldsecurity.ioto a mailbox I host.
What’s to stop an email SPAMer doing exactly the same thing?
For email to be considered legitimate, the sender of the email must be verified. The WordPress site/server that is sending email on the part of
shieldsecurity.io must be recognised as a legitimate sender for that domain.
And how do you setup a sender as a legitimate sender?
That is where the real work takes place. And is the piece of the puzzle that most WordPress administrators never put into place.
It’s only when important emails stop arriving that an administrator realises that something might be wrong.
How To Improve Email Deliverability For WordPress
The steps to perform this task aren’t within the scope of this article, but we go into some detail on this problem and possible solutions to it here.
We recommend using a dedicated email service provider. They provide a reliable email platform that you can use across all sites in your portfolio. They also normally come with logs and debugging tools which you can use to investigate problems as they arise.
What Is SureSend And What Problem Does It Solve?
Setting up email delivery for your sites can be quite involved, though it isn’t complex. It just takes a some time, the first time around.
So it’s understandable that even knowing about this email deliverability problem, many admins still don’t do anything about it.
It is for those admins that we created SureSend.
SureSend wont solve all your WordPress email problems, but it will step-in to ensure particular critical emails are delivered as expected.
To start with, we’ve integrated SureSend into the ShieldPRO plugin for 2-factor authentication emails.
If you try to log into a WordPress site with Shield’s 2FA protection and you don’t get the email, you can’t complete your login. SureSend can act as the sender for the email (instead of your WordPress site). It uses a correctly configured email domain (sure-send.com) so that the chances of successful email delivery are much higher.
No email delivery is 100% reliable, but we’ve put all the necessary signals in-place to ensure that our emails will get through to your mailbox.
Why Do 2FA Emails Suffer From Deliverability Issues?
As you can imagine, it makes sense that an email originating from an unverified source, containing a login code or such-like, is more likely to be flagged as SPAM or completely rejected altogether.
It’s no accident that it’s the 2FA emails that are most problematic.
This is why we’re adamant that WordPress admins employ a dedicated email service for their websites. Using WordPress alone is rolling the dice, without being able to see what the result of the roll actually is.
If an email is rejected by a recipient’s email provider, how would you ever know?
When Can You Get SureSend?
We’re releasing SureSend for ShieldPRO in version 10, due out in mid-late October 2020.
Currently it only supports emails for 2FA codes, but we’ll expand this over time as we monitor its uptake.
What Are The Future Plans For SureSend?
We’ll monitor how SureSend is used within Shield and gauge the demand for a service that makes it easy to offload emails from a WordPress site.
We feel there’s a real need for something like this for those that don’t want the hassle of setting up a dedicated service provider.
But we’ll monitor and see how things go.
What Considerations Are There For Privacy And GDPR?
Emails and privacy is an important concern.
Currently with SureSend, we don’t log emails sent through our service, though they will be logged through whichever email service provider we employ to send these emails.
The simplest way to not be affected by any privacy concerns you may have is to not enable SureSend in the Shield Security plugin (which isn’t enabled by default), and instead configure your WordPress email delivery correctly, either directly for the hosting server, or using a 3rd party provider.
Questions and Suggestions
As always we value your thoughts and any suggestions you have around SureSend and any new feature we introduce to ShieldPRO.
Is SureSend something you’d find useful? How could it be adjusted to be more useful to you?
Please leave any questions in the comments below and we’ll update the article if needed.
Very nice plugin!! Thanks
Does what it says
One of the best!
The security expert !!
I was tired of blocking automated login attempts and bruteforce attacks. When IP blocking/locking out is not effective when IP spoofing attacks takes place, Simple Security Firewall has its options to block these kind of automated attacks. I love it !!
Thanks for this plugin.