D
DMARC Creator

How to Set Up DMARC for WordPress Sites and Email

Learn how to set up DMARC for WordPress. Covers wp_mail, SMTP plugins, WooCommerce email, contact forms, and adding DMARC at your DNS provider.

Last updated: 2026-01-28

WordPress powers nearly half the web, but it does not manage DNS or email authentication on its own. If you run a WordPress site, your DMARC record gets added at your domain registrar or hosting provider — not inside WordPress. The tricky part is understanding how WordPress sends email and making sure those emails align with your DMARC policy.

This guide covers why WordPress sites need DMARC, how the wp_mail function works, how SMTP plugins fit into the picture, and the step-by-step process for getting your DMARC record published. If you have not decided on your DMARC record yet, our how to create a DMARC record guide will help you build the right one.

Why WordPress Sites Need DMARC

WordPress sends more email than most site owners realize. Even a simple blog or brochure site generates automated messages:

  • Contact form submissions — plugins like Contact Form 7, WPForms, and Gravity Forms send form data via email
  • User registration and password reset emails — WordPress core sends these automatically
  • WooCommerce transactional emails — order confirmations, shipping updates, refund notices, and invoices
  • Newsletter and marketing emails — plugins like Mailchimp, Mailpoet, or Sendinblue integrations
  • Comment notifications — WordPress notifies you about new comments via email

Without DMARC, these emails are more likely to fail authentication checks and land in spam. Worse, anyone can send spoofed emails pretending to be from your domain. DMARC protects against both problems. For a primer on how SPF, DKIM, and DMARC work together, read SPF vs DKIM vs DMARC.

If your WordPress site sends email using the default wp_mail function (which most sites do), those emails are sent from your web server using PHP's mail() function. The "From" address often defaults to something like wordpress@yourdomain.com, but the actual sending server may not be authorized in your SPF record. This causes DMARC alignment failures.

How WordPress Sends Email

Understanding the email flow helps you configure DMARC correctly.

The Default: wp_mail and PHP mail

By default, WordPress uses the wp_mail() function, which relies on PHP's built-in mail() function. This sends email directly from your web server. The problem is that your web server's IP address is often not included in your domain's SPF record, and there is no DKIM signing happening. This means both SPF and DKIM will fail, and your DMARC check will fail too.

The Better Option: SMTP Plugins

SMTP plugins like WP Mail SMTP, FluentSMTP, or Post SMTP replace the default wp_mail behavior. Instead of sending from your web server, they route email through a proper email service — Google Workspace, Microsoft 365, SendGrid, Amazon SES, or your hosting provider's SMTP server.

When you use an SMTP plugin connected to an authenticated email service, your emails are sent from servers that are already included in your SPF record and can sign with DKIM. This is the path to DMARC alignment.

Configuring WP Mail SMTP for DMARC Alignment

If you are not already using an SMTP plugin, setting one up is the most impactful thing you can do for your WordPress email deliverability.

1

Install an SMTP plugin

Install and activate WP Mail SMTP (or a similar plugin like FluentSMTP). Go to Plugins > Add New in your WordPress admin and search for "WP Mail SMTP." Install and activate it.

2

Choose your email service

In the plugin settings, select the email service you want to route through. Common options include Google Workspace (Gmail), Microsoft 365 (Outlook), SendGrid, Amazon SES, or "Other SMTP" for your hosting provider's mail server. Each service has its own setup steps.

3

Configure the From address

Set the "From Email" to an address at your domain (like hello@yourdomain.com). This must match the domain you are setting up DMARC for. Enable the option to force this From address across all WordPress emails so plugins cannot override it with a different address.

4

Send a test email

Use the plugin's built-in test feature to send a test email. Verify it arrives and check the email headers to confirm the sending service is correct. Look for SPF and DKIM pass results in the headers.

The "Force From Email" setting in WP Mail SMTP is important for DMARC. Without it, individual plugins (contact forms, WooCommerce, etc.) may set their own From address, which can break DMARC alignment if the address does not match your authenticated domain.

Adding Your DMARC Record

Your DMARC record gets added at your DNS provider — this is wherever your domain's nameservers point. For WordPress sites, this is typically your hosting provider (Bluehost, SiteGround, Hostinger) or your domain registrar (GoDaddy, Namecheap, Cloudflare).

The recommended starting record:

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com;
1

Log in to your DNS provider

Go to your hosting provider or domain registrar and navigate to DNS management. For specific instructions, see our guides for cPanel, Bluehost, GoDaddy, Cloudflare, or Namecheap.

2

Add a TXT record

Create a new TXT record with the Name or Host set to _dmarc. Your DNS provider usually appends your domain automatically, so the full record resolves at _dmarc.yourdomain.com.

3

Paste your DMARC record as the value

In the Value field, paste your complete DMARC record string. Do not add quotation marks around the value.

4

Save and verify

Save the record and wait a few minutes. Then verify it at dmarcrecordchecker.com.

Common WordPress DMARC Issues

wp_mail Sends From the Wrong Address

By default, WordPress sends email from wordpress@yourdomain.com or sometimes from the server's hostname (like user@server123.hostingprovider.com). If the From address does not match your domain, DMARC alignment fails immediately. Fix this with an SMTP plugin that forces a consistent From address at your domain.

WooCommerce Emails Failing Authentication

WooCommerce sends a high volume of transactional email — order confirmations, shipping updates, and customer account emails. If these fail DMARC checks, customers will not receive critical order information. Make sure your SMTP plugin handles all WooCommerce email by configuring it at the WordPress level, not just for specific plugins.

Contact Form Emails Using Visitor's Address

Some contact form plugins set the "From" address to the visitor's email address — the person who filled out the form. This is a common misconfiguration that causes DMARC failures because you are sending email "from" someone else's domain. Configure your contact form to use your domain as the From address and put the visitor's email in the Reply-To field instead.

Multiple Plugins Sending Email Differently

Large WordPress sites may have several plugins sending email: WooCommerce, a membership plugin, a booking system, and a newsletter tool. Each may try to configure email sending independently. An SMTP plugin with "Force From Email" enabled ensures all outgoing email goes through the same authenticated channel.

Check your WordPress site's email authentication

Verify your SPF, DKIM, and DMARC records are all working together.

Run a Free Check

SPF and DKIM for WordPress Email

DMARC requires either SPF or DKIM to pass and align. Here is what you need:

SPF: Your SPF record must include whatever service sends email for your WordPress site. If you use Google Workspace through WP Mail SMTP, include include:_spf.google.com. If you use SendGrid, include include:sendgrid.net. If you use your hosting provider's SMTP, include their SPF directive. Build your complete SPF record at spfcreator.com.

DKIM: Enable DKIM signing in your email service. Google Workspace, Microsoft 365, SendGrid, and Amazon SES all support DKIM. You will need to add DKIM DNS records at your DNS provider. Generate them at dkimcreator.com.

If you still rely on PHP mail (the default), neither SPF nor DKIM will be properly configured. This is the strongest argument for switching to an SMTP plugin -- it makes DMARC compliance possible. Developers building custom WordPress themes or plugins that send email should also review our DMARC for developers guide for implementation patterns.

Moving to Enforcement

After two to three weeks of monitoring at p=none, review your DMARC reports to make sure all WordPress email sources pass authentication. Then follow this progression:

Start with p=quarantine; pct=25; to quarantine a small percentage of failing messages. Monitor for a week. Increase to pct=100, then move to p=reject when you are confident all legitimate email passes.

For the full enforcement guide, see our DMARC policy levels guide.

Test before enforcing

Before moving past p=none, send test emails from every WordPress plugin and feature that generates email. Check each one passes SPF or DKIM. One misconfigured plugin can cause real email to be blocked once you enforce.

Related Articles

Monitor Your DMARC Record

You've created your DMARC record — now make sure it keeps working. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.

Never miss a DMARC issue

Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.

Start Monitoring