Sending Email Safely

Email marketing can be a complex beast with several common pitfalls. This article aims to provide several security-related recommendations for sustainable email marketing.

1. Set up DMARC and monitor email usage reports

We recommend setting up DMARC ("Domain-based Message Authentication Reporting and Conformance") for your domain to enable you to control and monitor its usage.
Malicious actors may impersonate your domain in their spam or phishing emails. Having a restrictive DMARC policy reduces their ability to do so and improves your deliverability at the same time.

ReturnPath and ProofPoint have great guides on how to set up DMARC.
It will require creating a new DNS record "", so you may want to ask your domain provider to help.

If you have never used DMARC for your domain, we recommend starting with a neutral policy:

v=DMARC1; p=none; fo=1;;

Once you ensure that all desirable emails pass DMARC (e.g. after a few weeks of monitoring DMARC reports), you can switch to a more restrictive policy:

v=DMARC1; p=quarantine; fo=1;;

"rua=" specifies addresses where aggregate usage reports should be sent, while "ruf=" specifies addresses that should receive forensic reports.
This will allow you to see who uses your domain to send emails, whether authorized or unauthorized by you.
Tools like Dmarcian can make it easier to collect, process and visualize such reports for you.

Once you have DMARC set up, if you also use MailPoet's Sending Service to deliver emails, you'll want to set up DKIM for your Sender Domain as well.

2. Secure your site

Having a secure site is important, as most online sites these days experience ongoing attack attempts.
If your site is breached, it may not be obvious if it happened, and your site may end up being abused, leading to reduced deliverability.

2.1. General site security

While it is a lengthy guide, the official Hardening WordPress security guide offers the most complete overview on WordPress security. You may not be able to take every precaution, but try to cover as many as you can.

You can also set up security products like Jetpack Security, WordFence or Sucuri as all-in-one security solutions for your WordPress site to provide more formidable defense, including active vulnerability and malware scanning.

2.2. Secure your forms

Bots tend to attack various online forms, e.g. guessing login credentials, trying to send spam or create fraudulent accounts and subscriptions, so it is important to ensure your forms are resistant to such attacks.

MailPoet's forms are pretty secure, and you can further secure them by adding a CAPTCHA to your MailPoet subscription forms.

If you use other subscription or contact form products, or have other signup forms (e.g. WooCommerce checkout), see if they offer similar protections. 

Otherwise, consider investing into security tools like Jetpack Security, WordFence, Sucuri that protect the whole site.

2.3. Update site's software

WordPress core, most plugins and themes continuously release security updates as new vulnerabilities are discovered and fixed. 

It is crucial to keep your site updated to latest WordPress, plugin and theme versions available to ensure known vulnerabilities could not be exploited to breach your site.

Of course, site security is not limited just to WordPress. Consult with your host to ensure your site uses the latest secure PHP, MySQL, web server versions as well.

3. Follow good sender practices

Having good security is paramount, but it is only one part of the story.
Follow our recommended sender best practices to ensure that you follow best email marketing practices and stay out of trouble.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.