Configure WordPress to Use SMTP authentication – a how to Guide.
WordPress SMTP authentication. In this post I’ll be taking about how to set up your WordPress so that it uses SMTP to send emails, why you might want to do this, and the benefits of using SMTP authentication.
Before you start reading this post, you might have a read of this post covering email deliverability and the DNS records that can be used to validate sources of emails.
If you don’t want to read the explanation covering how all this works, you can skip to the section that covers how to set up WordPress SMTP authentication.
What SMTP Authentication is.
SMTP authentication is the processes of authenticating as an SMTP user when sending emails. If you’re using SMTP authentication when send an email, a username and a password are submitted to the SMTP server, which are then validated, to allow you to send the email. Usually a mailbox will have to exist for there to be an SMTP user that has a password set for you to authenticate with.
We’re probably all familiar with having to put usernames and passwords in mail clients like Outlook, Mail for Mac, Thunderbird and the many mail clients available on smart phones, and it’s pretty obvious that a password is needed to receive emails, but the username and password you enter in a mail client is also used when sending emails. The mail clients you use save the username and password so that you don’t have to enter this information when you send every single email.
I guess it all sounds quite obvious so far, but this next part won’t.
Out of the box, unless you’ve configured it to do so, your WordPress doesn’t use SMTP authentication. It has to be configured to do so.
You might well be reading this thinking something like “my site sends me email notifications, but I’m pretty sure I haven’t set that up’. If that’s the case, and you haven’t set up SMTP authentication, WordPress is sending you mails without authenticating against a valid SMTP user.
How WordPress sends emails without SMTP authentication.
WordPress is essentially a PHP driven database backed web application. PHP has a mail() function, and it’s this that a WordPress site uses to send emails without SMTP authentication taking place.
The email generating PHP code within your WordPress installation executes, then submits the generated email to the mail server, which then transmits the mail to the mail server of the recipient the email is directed to. It’s a bit like you writing a letter (like PHP generates an email) and then putting it in the post box for it to be sent on to the recipient (the postal service effectively being the equivalent of the SMTP server).
No authentication takes place when this happens. PHP generates a mail, gives it to the mail server, mail server transmits to the recipient mail server, mail is received by recipient mail server.
It sounds a bit open to being abused doesn’t it?
Well, that can be the case.
The downside of php mail().
I’ll start with the obvious. The PHP mail() function can be, and is often, used to send spam. A lot of spam is PHP generated.
Now I’m not saying your WordPress is spamming, but it is possible (that if you haven’t adequately secured your WordPress) a spammer could inject a script in to it that makes use of the available PHP mail() function and the underlying SMTP server to send spam from your hosting account where your site is contained.
Most hosting type servers will add some headers when emails are generated using PHP, that might look something like this:
So the recipient mail server is, in a lost of cases, able to tell that the email was generated by PHP, rather than a human.
Due to the “a lot of spam emails are PHP generated” factor, emails generated by PHP’s mail() function can be scrutinised by recipient SMTP servers to a greater degree, and they can tell they’re PHP generated from the headers mentioned above.
OK, so that’s one of the main downsides. The other mail downside is that it’s quite easy for PHP mail() generated emails to not conform to Sender Callout Verification.
Sender Callout Verification is essentially a recipient SMTP server asking the transmitting SMTP server if the user (as found in the from address header of the email) actually exists. Although Sender Callout Verification is a bit retro and not as widely used as it once was, some mail providers still undertake this check (and you’ve got no idea who does and who doesn’t), and possible that Sender Callout Verification results may influence spam scoring rules.
Due to this, if the from address in the PHP generated email isn’t set as a valid SMTP user, it’s highly likely that the generated email will be treated as “more spam like” my recipient mail servers.
Sure, you could set up a mailbox, then specify the address of the mailbox in the from header for PHP mail() generated emails, which would make the Sender Callout Verification succeed, but if you don’t explicitly set a from header in this manner, what’s used as the from header?
This depends a lot on how the transmitting side of things (the SMTP server and PHP) are configured. If we take cPanel for example, the PHP script that’s generating the email runs within the cPanel account. Consequently the from header address (if one isn’t explicitly defined) is set to:
Whilst this would make sender verification succeed (due to the presence of a system mailbox of the cPanel user being present in cPanel accounts by default), it doesn’t look particularly compliant from the perspective of the recipient mail server. This could be for reasons such as there not being an SPF record in place for the domain of the server’s hostname. A lack of SPF record can also negatively affect email deliverability.
If you combine both factors (PHP generated emails being treated with more suspicion and from headers not conforming to Sender Callout Verification) then you could potentially be looking at a problem with email deliverability. This may result in the emails that your site sends as being either routed to junk or spam folders of flat out rejected by recipient mail servers.
Why you’d want to use SMTP authentication.
I’ve just talked about some of the negatives associated with PHP mail() generated emails, and how they can negatively affect email deliverability.
SMTP authentication can be used to mitigate some of these negatives and therefore improve email deliverability for the emails that your website sends. To put it in one simple statement:
SMTP authentication is an aspect that improves the chances of the site generated emails being received.
At this point, you might think “My site doesn’t really send any emails, I’m not too fussed about this”.
Well, you might consider rethinking that, just to cover the email notifications WordPress sends you, or the email based password reset mechanism WordPress uses for password resets. Sure you can reset your WordPress password via the database, but let’s take one more thing in to account:
Your website’s contact form.
Pretty much everyone’s website has a contact form on it, to allow people to get in touch with the website or business owner.
That’s potential customers using your website to send you an email (which is generated by your site). Do you want that going to your junk or spam folders? Probably not.
If at this point, you’re considering just putting your email address on your website, so that you don’t have to do anything about SMTP authentication and email deliverability, at least think twice before doing this.
Well, there are bots out there, made by spammers that read people’s websites looking for email addresses displayed on websites that feed back to spammers databases. Just by putting your email address on your website you’re highly likely to receive a lot of spam.
Just to cover it, spam can also be sent using contact forms, and to prevent this you’ll need to protect your site’s contact form with a captcha.
So to prevent spam you need a captcha protected contact form, and for your contact form emails to be more likely to reach you, you need to make sure your email deliverability is good, and consequently SMTP authentication is advisable.
If your site sends a lot of email notifications (order confirmation emails if you’re running a shop, or update emails if you’re running a blog), then you’d need to take your site’s email deliverability in to account to ensure recipients receive the emails your site sends.
How to set up SMTP authentication in WordPress.
Before you can configure your WordPress to carry out SMTP authentication you need to set up an SMTP user for it to authenticate against. You do this by creating a mailbox.
How to create a mailbox.
Exactly how you’d do this varies between hosting platforms. The screen shots below are all taken from a cPanel hosting account. If you’re using something different the steps you’d need to take are the same, but they might look different in appearance.
If you’re using cPanel, log in to your cPanel account and click on “Email Accounts”:
Then, on the email accounts page, click the “Create” button:
On the page that you then see, you’ll need to set:
Domain: the part after the @ sign of the email address you’d like to create (if you have single domain hosting this will be set to your domain by default)
Username: The part before the @ sign of the email address you’d like to create.
Password: Specify what you’d like to be the password for the mailbox you’re creating. MAKE A NOTE OF THIS as it can’t be seen (only reset) once you’ve created the email address/mailbox.
Once you’ve set all these, click the “create” button.
And you’ll then see the mailbox you’ve created in the list of email accounts:
You’ve just created something that can be used to undertake SMTP authentication, so now you need to configure WordPress to authenticate against this SMTP newly created SMTP user.
Configure SMTP authentication in WordPress.
When setting up SMTP authentication in WordPress, we need to effectively tell WordPress:
- Where to connect to (the address of the SMTP server)
- How to connect (such as encryption methods)
- Who to connect as (the username)
- The password of the user (to be able to authenticate)
I know that my website and my mailbox exist on the SAME server. I can tell this by looking at the DNS records for my domain using intodns.com. Like this:
See how the highlighted parts both have the same IP address (184.108.40.206)? That means that the same server handles traffic for both my website and my emails for my domain. So the mail server runs locally for me, and this is generally the case when using cPanel hosting (unless your hosting provider has spearate servers for website .
If you see the same you’ll be able to follow this guide like for like, but the mailbox you created when carrying out the above, you’ll need to know the address of this server (check your hosts email settings, and make a note of the mail server address that’s provided as you’ll need this in a minute).
We’re going to need to install a plugin that can be used for SMTP authentication. So log in to your WordPress and hover over “Plugins” in the menu on the left hand side, then click on “Add new”:
The plugin we’re going to use is called Easy WP SMTP so type this in the search box, then click on the “Install Now” button in the Easy WP SMPT section:
Then, when it’s finished installing click the “Activate” button:
After activating you’ll be directed to a “Let’s get you started” page, but just click the “Go back to the dashboard” at the bottom of the page:
And you’ll then be directed to Easy WP SMTP’s settings page:
Scroll down until you see the “Mailer Settings” section, and in this section click on “Other SMTP”:
If you then scroll down a bit further, you’ll see where you enter the SMTP server settings.
Because I know my SMTP server is on the same server as my site, I’m going to use these settings:
- SMTP Host: localhost
- Type of encryption: None (there’s no certificate on localhost, which you need for encryption to work, and I don’t need encryption as no data is being sent over the wire, it’s all contained on a single virtual machine)
- SMTP port : 25 (because this is the port SMTP servers listen on when no encryption is being used)
- Auto TLS: Off (because I don’t want to use encryption)
- SMTP Authentication: Enabled (because that’s why we’re doing all this!)
- SMTP username: email@example.com (because that’s the username of the mailbox I set up earlier, which I’ll be making WordPress use for authentication)
- SMTP Password: The password of the firstname.lastname@example.org mailbox that I set when creating this mailbox.
If the mail server you’re using is an external mail server, you’ll need to know the address of this server, and you’ll want to use encryption because a username and password is being transmitted to an external server, so you’d be best to use:
- SMTP Host: the address of the mail server that holds the mailbox you created as above.
- Type of encryption: TLS
- SMTP port: 587 (because this is the port SMTP servers listen on when no using TLS encryption)
- Auto TLS: On
- SMTP Authentication: Enabled (because that’s why we’re doing all this!)
- SMTP username: The username of the mailbox you recently created (usually the full email address)
- SMTP Password: The password of the mailbox that you set when creating the mailbox.
Scroll down a bit further and you’ll see some more settings. In this area make sure you set the “From Email Address: as the same address you used as the username above.
You can set the “force from email” a “From name” and “Force from name” if you want, but I tend to specify these in the contact forms themselves. It’s up to you.
Then click “Save Settings”:
Now we just need to test this all works. We can do this by clicking on the “Send a test” facility in the Easy WP SMTP menu options on the left hand side of your WordPress dashboard:
Enter an email address to send the test email to, then click on “Send Test Email”:
And, if you’ve set everything up correctly, you should see a “Test HTML email was sent successfully! Please check your inbox to make sure it is delivered.” message:
But like it says, check to make sure it has been delivered. We’re doing this mainly to improve email deliverability and making sure the test email was delivered to the mailbox is the best way to confirm website generated emails can be received OK.
I’ve just checked, and the test email is present in my mailbox:
Any further emails that WordPress sends will now undergo SMTP authentication as you’ve configured above. Great! Now you’re ready to add a contact form to your WordPress.
- Email deliverability is important even if your site only sends you contact form emails.
- Email deliverability can, in part, be improved with SMTP authentication.
- When configured your WordPress will use SMTP authentication for all site messages. This includes the password reset emails.
- If you use a contact form on your site, using SMTP authentication increases the chance of you receiving the contact form generated emails.