WooCommerce is a WordPress-based e-commerce platform powering a large share of online stores. Unlike dedicated ESPs, WooCommerce does not operate its own email sending infrastructure — by default it sends order confirmations, shipping notifications, and customer account emails through your web host's PHP mail server. This creates a significant authentication problem that requires deliberate action to fix.
The Core Problem: Default WooCommerce Email Is Unauthenticated
Out of the box, WooCommerce uses WordPress's wp_mail() function, which sends through your hosting server's local mail handler. This means:
- No DKIM signing — messages are not signed with your domain
- SPF likely fails or misaligns — your host's shared IP may not be in your SPF record
- DMARC will show failures — order confirmation emails going to customer spam
The fix is to route WooCommerce email through an authenticated transactional email provider using the WP Mail SMTP plugin.
Choosing a Sending Provider
WP Mail SMTP re-routes wp_mail() through a third-party mailer you configure. The DNS records you need depend on which provider you choose. For DMARC compliance, the best choices are:
| Provider | SPF Alignment | DKIM Alignment | Notes |
|---|---|---|---|
| SendGrid | Yes | Yes | Full alignment via domain authentication |
| Mailgun | Yes | Yes | Full alignment; subdomain setup recommended |
| Brevo (Sendinblue) | No | Yes | DKIM only — no custom return-path |
| Postmark | Yes | Yes | Full alignment via custom bounce CNAME |
SendGrid and Mailgun are the most commonly recommended options for WooCommerce stores that need full DMARC alignment.
SPF Configuration
The SPF include you add depends on your chosen mailer:
SendGrid:
Type: TXT
Host: @
Value: v=spf1 include:sendgrid.net ~all
Mailgun:
Type: TXT
Host: @
Value: v=spf1 include:mailgun.org ~all
Combined example (SendGrid + Google Workspace for business email):
v=spf1 include:_spf.google.com include:sendgrid.net ~all
If your domain already has an SPF record, add the mailer's include to the existing record — do not create a second SPF TXT record.
Verify your total lookup count with the SenderClarity SPF Checker.
DKIM Configuration
Step 1 — Install and configure WP Mail SMTP
- In WordPress Admin, go to Plugins → Add New and install WP Mail SMTP.
- Navigate to WP Mail SMTP → Settings → Mailer.
- Select your chosen provider (SendGrid, Mailgun, etc.) and enter your API key.
Step 2 — Complete domain authentication in your chosen provider
DKIM records are generated and verified inside your provider's dashboard, not inside WP Mail SMTP. Follow your provider's domain authentication process:
- SendGrid: In the SendGrid dashboard, go to Settings → Sender Authentication → Domain Authentication and authenticate your domain. SendGrid generates three CNAME records:
Type: CNAME
Host: s1._domainkey
Value: s1.domainkey.u12345678.wl123.sendgrid.net
Type: CNAME
Host: s2._domainkey
Value: s2.domainkey.u12345678.wl123.sendgrid.net
Type: CNAME
Host: em1234
Value: u12345678.wl123.sendgrid.net
The third CNAME (em1234) sets the return-path for SPF alignment.
- Mailgun: In the Mailgun dashboard, go to Sending → Domains and add your domain. Mailgun generates a DKIM TXT record and MX records for bounce handling.
- Add the DNS records your provider generates to your domain.
- Verify in the provider's dashboard.
DMARC Configuration
Start with monitoring mode:
Type: TXT
Host: _dmarc
Value: v=DMARC1; p=none; rua=mailto:your-address@reports.senderclarity.com; fo=1
Progress to enforcement after confirming WooCommerce store emails pass authentication:
p=quarantine; pct=25p=quarantine; pct=100p=reject
DMARC Considerations for WooCommerce
Default wp_mail() will fail DMARC — this is the most common source of e-commerce authentication failures: If you haven't configured WP Mail SMTP (or a similar plugin), your order confirmations and shipping notifications are almost certainly failing authentication. Hosting server IPs are shared, often flagged, and frequently absent from your SPF record entirely. Installing WP Mail SMTP and connecting a reputable transactional provider is the single highest-impact step you can take.
WooCommerce store emails and business email are two different streams: Your regular business email (Google Workspace, Microsoft 365) and WooCommerce transactional email are separate sending sources. Each needs its own entry in your SPF record, and each needs its own DKIM setup. Both will appear in your DMARC aggregate reports — often from very different IP ranges.
Third-party WooCommerce plugins send email too: Review request plugins (Yotpo, Judge.me), loyalty programs, affiliate platforms, and upsell tools may all send email as your domain through their own infrastructure. Each one is a separate DMARC risk. Audit your installed plugins for any that send email and ensure each has its own authentication configured.
Shopify crossover is common: Many merchants run WooCommerce alongside Shopify (or have migrated between them). If you have historical Shopify DNS records in your SPF, clean them up to avoid confusion and unnecessary lookup consumption.
Provider choice determines DMARC alignment options: Only providers that support a custom return-path (SendGrid, Mailgun, Postmark) give you SPF alignment alongside DKIM. Brevo provides DKIM alignment only. Both approaches satisfy DMARC, but dual alignment is more robust if your DMARC policy ever uses strict mode (
aspf=s).
Verification
- Check your SPF record →
- Place a test order on your store and check the confirmation email headers
- Confirm
dkim=passaligned to your domain andspf=passin the Authentication-Results header - Monitor DMARC reports in SenderClarity for store email traffic
Common Issues
Order confirmations going to customer spam: The most likely cause is unauthenticated default PHP mail. Install WP Mail SMTP, connect a transactional provider, and complete domain authentication.
Two SPF TXT records on the domain: Only one SPF record is allowed per domain. If you have an existing SPF record and added a second one, combine them: v=spf1 include:_spf.google.com include:sendgrid.net ~all. Having two causes a permanent SPF error that breaks all SPF checking for your domain.
WP Mail SMTP shows emails sending but DKIM not aligned: The plugin routes email through the provider, but DKIM depends on completing domain authentication in the provider's own dashboard. Check your SendGrid or Mailgun account to confirm the domain is verified and DKIM is active.
SPF Lookup Impact
| Include | Estimated Lookups |
|---|---|
sendgrid.net |
2 |
mailgun.org |
~4 |
Choose your provider with SPF lookup budget in mind, especially if you already use Google Workspace and other services.