S
SPF Creator

SPF for WordPress: Email Authentication Guide

Set up SPF for WordPress sites. Configure email authentication for contact forms, WooCommerce emails, and WordPress notification delivery.

Your WordPress Contact Form Submissions Are Disappearing

Someone fills out the contact form on your WordPress site. They get a "Message sent" confirmation. You never see the email. It's not in spam — it simply never arrived. WordPress tried to send it using PHP's built-in mail() function, which has no authentication, no SPF alignment, and no credibility with receiving mail servers. For a business that depends on web leads, this is invisible revenue loss.

The WordPress Email Problem

WordPress relies on PHP's mail() function by default. This function hands the email to your web host's mail server with no authentication whatsoever. The receiving mail server sees an email claiming to be from your domain, sent from a random shared hosting IP that isn't authorized in your DNS. It fails every check.

Here's why WordPress email is uniquely problematic:

  • PHP mail() provides zero authentication — no SPF, no DKIM, nothing
  • Shared hosting IPs are frequently blacklisted because other sites on the same server send spam
  • WooCommerce stores send critical transactional emails (order confirmations, shipping notifications) that customers expect immediately
  • WordPress plugins like Contact Form 7, Gravity Forms, and WPForms all rely on the same broken mail system by default
  • The fix requires two steps: routing email through a proper SMTP service, then setting up SPF for that service

The best practice for WordPress email is to stop using PHP mail() entirely. Install an SMTP plugin like WP Mail SMTP and route all WordPress email through a proper sending service like SendGrid, Mailgun, Amazon SES, or your Google Workspace account. Then set up SPF for that service.

How SPF Creator Helps

SMTP service presets

Once you've routed WordPress email through SendGrid, Mailgun, Amazon SES, or another SMTP service, select that provider in SPF Creator and the correct include is added instantly.

Combine WordPress email with business email

Your WordPress site sends through one service, your team uses Google Workspace or Microsoft 365. SPF Creator merges both into a single, valid SPF record.

Host IP support

If you send through your web host's mail server instead of a third-party SMTP service, SPF Creator lets you add the server's IP address directly with an ip4: mechanism.

WooCommerce-ready

WooCommerce stores often use a transactional service for order emails plus a marketing platform for campaigns. SPF Creator handles multi-service records without exceeding the lookup limit.

Monitor your WordPress email authentication

Make sure your contact forms, WooCommerce orders, and notifications always pass SPF checks.

Start Monitoring

Setting Up SPF for WordPress

1

Install an SMTP plugin

Install WP Mail SMTP, FluentSMTP, or a similar plugin. Configure it to send through a real email service — SendGrid, Mailgun, Amazon SES, your Google Workspace account, or your host's SMTP server. This is the essential first step.

2

Identify your sending service

Check which service your SMTP plugin is configured to use. If it's SendGrid, your SPF include is include:sendgrid.net. If it's your Google Workspace account, it's include:_spf.google.com. Note the service for the next step.

3

Check your existing SPF record

Use SPF Record Check to see if your domain already has an SPF record. Many domains already have one for Google Workspace or Microsoft 365.

4

Open SPF Creator

Start a new record or import your existing one. Your record begins with v=spf1 automatically.

5

Add your sending services

Add the SMTP service your WordPress site uses, plus your business email provider. If you also use a marketing platform, add that too.

6

Publish and test

Copy the record to your DNS provider. Wait for propagation, then send a test email from WordPress (most SMTP plugins have a "Send Test Email" feature). Check the headers for spf=pass. Verify with SPF Record Check.

Common WordPress SPF Mistakes

Relying on PHP mail without SPF

The most common mistake is not realizing WordPress email is broken by default. PHP mail() sends from your host's IP, which almost certainly isn't in your SPF record. Even if you add the host's IP, shared hosting IPs are frequently blacklisted.

Wrong approach:

# No SMTP plugin, no SPF — emails fail silently
WordPress → PHP mail() → shared hosting IP → recipient (rejected)

Right approach:

# SMTP plugin routes through a proper service with SPF
WordPress → WP Mail SMTP → SendGrid → recipient (SPF pass)
SPF record: v=spf1 include:sendgrid.net ~all

Adding only the host IP without the email service

Some WordPress users add their web server's IP to SPF but forget that their business email (Google Workspace, Microsoft 365) also needs to be included. The result: WordPress emails pass but replies from your team inbox fail.

Wrong:

v=spf1 ip4:203.0.113.50 ~all

Right:

v=spf1 ip4:203.0.113.50 include:_spf.google.com ~all

Forgetting WooCommerce uses the same email path

WooCommerce order confirmations, shipping notifications, and refund receipts all use the same WordPress email system. If PHP mail() is broken for contact forms, it's broken for WooCommerce too. Every failed order confirmation is a potential support ticket.

Common WordPress + Service Combinations

# WordPress (SendGrid) + Google Workspace
v=spf1 include:sendgrid.net include:_spf.google.com ~all

# WordPress (Mailgun) + Google Workspace
v=spf1 include:mailgun.org include:_spf.google.com ~all

# WordPress (Amazon SES) + Microsoft 365
v=spf1 include:amazonses.com include:spf.protection.outlook.com ~all

# WordPress host IP + Google Workspace + Mailchimp
v=spf1 ip4:203.0.113.50 include:_spf.google.com include:servers.mcsv.net ~all

# WooCommerce (SendGrid) + Google Workspace + Klaviyo
v=spf1 include:sendgrid.net include:_spf.google.com include:_spf.klaviyo.com ~all

WooCommerce stores

If you run a WooCommerce store, treat your email setup like any other e-commerce platform. Use a dedicated transactional email service for order emails and a separate marketing platform for campaigns. SPF Creator handles the combined record.

Beyond SPF, WordPress sites benefit from DKIM signing — most SMTP services like SendGrid and Mailgun support it natively. Complete the trifecta with a DMARC policy so receivers know exactly how to handle emails that fail authentication.

DNS Provider Quick Reference

DNS ProviderRecord TypeHost/NameValue
CloudflareTXT@v=spf1 include:sendgrid.net include:_spf.google.com ~all
GoDaddyTXT@v=spf1 include:sendgrid.net include:_spf.google.com ~all
NamecheapTXT@v=spf1 include:sendgrid.net include:_spf.google.com ~all
Route 53TXT(blank)v=spf1 include:sendgrid.net include:_spf.google.com ~all
SiteGroundTXT@v=spf1 include:sendgrid.net include:_spf.google.com ~all

Pricing

Free

$0

  • Up to 3 items
  • Email alerts
  • Basic support

Pro

$9/month

  • Unlimited items
  • Email + Slack alerts
  • Priority support
  • API access

Related Articles

Monitor Your New SPF Record

You've created your SPF record — now make sure it keeps working. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.

Never miss an SPF issue

Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.

Start Monitoring