Why are WordPress emails being blocked by Outlook, especially for the same domain?

Key findings

• Silent blocking: Emails reported as delivered by the sending service (like Brevo) may still be silently dropped or quarantined by Outlook, especially when sending to the same domain.
• Authentication issues: Lack of proper email authentication (SPF, DKIM, DMARC) is a primary reason for deliverability issues, particularly with Outlook, even for internal domain emails. More information on this can be found in our guide on why emails have deliverability issues with Outlook.
• Web host IP reputation: If WordPress uses the default PHP mail function, emails are sent from the web host's IP, which may have a poor reputation, leading to blocking. WordPress typically doesn't add authentication to outgoing messages, increasing the likelihood of being marked as spam.
• Internal security policies: Microsoft 365 (O365) instances, especially those managed by third-party hosting providers like GoDaddy, often implement additional security measures or custom filters that can block even legitimate internal domain emails. This is a common cause of emails going to spam.

Key considerations

• Check ESP logs and message traces: Even if the ESP reports delivery, cross-reference with recipient-side message traces (e.g., in Microsoft 365 Exchange admin center) to confirm the email's journey and final disposition.
• Review authentication records: Ensure your domain has correctly configured SPF, DKIM, and DMARC records that align with your sending ESP (e.g., Brevo).
• Contact hosting provider/Microsoft support: If the Outlook instance is managed through a third-party (like GoDaddy for O365), they may have specific security settings or filters that need to be adjusted or whitelisted, which might not be visible in standard user settings.
• Consider an SMTP plugin: Using an SMTP plugin in WordPress to route emails through a reputable email service provider (ESP) rather than the default PHP mail function significantly improves deliverability by leveraging the ESP's strong IP reputation and authentication.

Key opinions

• SMTP plugins are essential: Many marketers advocate for using an SMTP plugin (like WP Mail SMTP) to bypass WordPress's unreliable PHP mail() function and improve email deliverability. This can help to fix email blocking issues with Microsoft domains.
• Check ESP logs first: The first step in troubleshooting should always be to review the logs provided by the email service provider (ESP), even if they indicate delivered status.
• Outlook's strict filtering: Outlook (and Microsoft 365) are known for their aggressive spam filtering, which can even affect emails sent from a domain to itself. Sometimes, this happens because a server has been blocklisted.
• Authentication is key: Proper email authentication (SPF, DKIM, DMARC) is repeatedly emphasized as crucial for deliverability, especially to Microsoft inboxes. Businesses often struggle with email deliverability issues if these are not correctly set up.

Key considerations

• Inspect Outlook message traces: If emails are sent but not received, administrators should use Outlook's message trace tools to determine where the email journey ended within the Microsoft ecosystem.
• Review Microsoft 365 security settings: Check for any custom transport rules, spam filters, or quarantine policies within Microsoft 365 that might be catching the WordPress emails, even for the same domain.
• Consult with the ESP: If the ESP reports successful delivery but the emails are not arriving, escalate the issue to the ESP's support team for deeper investigation into potential recipient-side issues.
• Beware of sudden changes: Sudden blocking issues, without configuration changes, can point to dynamic adjustments in recipient server policies or newly detected reputation issues with the sending IP.

Key opinions

• Authentication is critical: Experts universally agree that proper email authentication (SPF, DKIM, DMARC) is non-negotiable for reliable deliverability, particularly to Microsoft inboxes. Our guide to DMARC, SPF, and DKIM can help.
• O365 security measures: Microsoft 365 has robust internal security settings that can override typical mail flow, causing emails to be quarantined or dropped even if they pass basic checks, especially for emails from the same domain. The way Microsoft verifies emails has significantly changed.
• DNS configuration: Incorrect or outdated DNS settings (specifically related to email authentication) can lead to delivery failures, even if the sending ESP reports success. This is often an issue with hidden SPF DNS timeouts in Microsoft environments.
• Message tracing is key: For Microsoft 365 users, running a message trace provides granular details on what happened to an email after it left the sending ESP and entered the Microsoft ecosystem, which is vital for diagnosing silent drops.

Key considerations

• Check for quarantine reports: Look for notifications (e.g., from Proofpoint or Microsoft Defender) indicating that emails have been quarantined rather than blocked or bounced. These often contain clues about the specific filter tripped.
• Consult with O365 administrator: Issues with O365 environments, especially those managed by third parties, often require administrative access or direct contact with the provider to adjust internal security settings or whitelists.
• Distinguish between SMTP and internal mail flow: Emails reported as delivered by an ESP may not have been delivered via SMTP to the final recipient's mailbox if an internal O365 policy intervened. This distinction is important for pinpointing the exact point of failure.
• Monitor changes in deliverability: Sudden changes in email deliverability to a specific recipient or domain, without any known configuration changes, warrant immediate investigation into external factors like reputation shifts or updated ISP policies.

Key findings

• PHP mail() limitations: WordPress, by default, sends emails using the PHP mail() function, which often lacks the necessary authentication for reliable delivery and can lead to emails going missing or to spam folders. This method is considered less reliable than SMTP for sending emails, as documented by WPBeginner.
• Lack of authentication: Default WordPress emails typically lack proper SPF, DKIM, and DMARC authentication, making them appear unverified and more likely to be blocked or sent to junk by strict email providers like Outlook. Understanding how email blacklists work can shed light on this.
• SMTP is recommended: Official documentation and guides consistently recommend using an SMTP plugin to connect WordPress to a dedicated email service provider. This ensures emails are sent with proper authentication and a better sender reputation.
• DNS records and misconfigurations: Incorrect or missing DNS records for SPF, DKIM, and DMARC are frequently cited as a primary reason for email delivery failures, including those to Microsoft domains. Keeping up-to-date with Outlook's new sender requirements is important.

Key considerations

• SMTP setup verification: Thoroughly verify the SMTP settings within your WordPress plugin (e.g., host, port, encryption, authentication) to ensure they correctly connect to your chosen email service provider.
• Domain reputation and blocklists: Continuously monitor your domain's reputation and check for its presence on any email blocklists, as this can severely impact deliverability to all recipients, including those on your own domain.
• Server configuration checks: Ensure your WordPress hosting server is properly configured to allow outbound SMTP connections and that no firewall rules are inadvertently blocking email traffic.
• Testing email functionality: Utilize built-in test features within SMTP plugins to verify that emails can be sent successfully, and consider testing to various external email providers in addition to Outlook.