PrestaShop Email Deliverability: SMTP, SPF, DKIM & Transactional Email Setup

Why PrestaShop Emails End Up in Spam

Your customer places an order. The confirmation email never arrives — or it lands in spam. They contact you, confused. You check PrestaShop: the email was "sent." Email deliverability is not about whether PrestaShop sends the email — it is about whether the recipient's mail server accepts it and places it in the inbox.

PHP mail() — The Default Nobody Should Use

A fresh PrestaShop installation uses PHP's built-in mail() function. This is the worst option for a production store:

• No authentication: The email is sent with no proof you authorized it. Gmail, Outlook, and Yahoo treat unauthenticated email as suspicious.
• Shared IP reputation: On shared hosting, your emails come from the same IP as every other site. If any sends spam, your emails get penalized.
• No DKIM signing: PHP mail() does not sign messages cryptographically.
• Missing headers: Minimal headers mean spam filters flag the message immediately.

If your store uses PHP mail() right now, switch to SMTP before doing anything else. This single change fixes more deliverability problems than all other steps combined.

Common Spam Triggers

• From address mismatch: Sending from noreply@yourstore.com but your server has no SPF record allowing it.
• HTML-heavy templates: PrestaShop templates are image-rich. A high image-to-text ratio triggers filters.
• Missing plain-text alternative: PS sends both versions, but custom templates or modules sometimes break the plain-text part.
• Broken links: Spam filters follow links. If your store URL is unreachable (SSL error, maintenance mode), the email gets flagged.
• Encoding issues: Stores using Polish, Czech, or other diacritics produce garbled characters when encoding is wrong.

PrestaShop Email Configuration

Email settings have moved and the underlying library changed significantly in version 9.

PrestaShop 1.6 and 1.7

Navigate to Advanced Parameters → E-mail. Select "Set my own SMTP parameters" and fill in server, port, encryption, username, and password. PS 1.6 uses PHP's built-in SMTP handling; PS 1.7 introduced Swift Mailer for more reliable connections. Encryption options:

• TLS (port 587): Modern standard using STARTTLS. This is what you want.
• SSL (port 465): Legacy implicit TLS. Some older hosts require it.
• None (port 25): Unencrypted. Never use this.

PrestaShop 8.x

Same location, same interface. PS 8 uses the final Swift Mailer version with improved error reporting. SMTP errors are logged with more context in var/logs/.

PrestaShop 9.x — Symfony Mailer

PS 9 replaces the deprecated Swift Mailer with Symfony Mailer. The admin UI looks similar, but the transport layer is completely different:

• DSN format: Internally uses smtp://user:password@server:port.
• TLS handling: Auto-detects STARTTLS on port 587. The "encryption" dropdown may behave differently after upgrading from PS 8.
• Stricter validation: Symfony Mailer is stricter about envelope sender matching the From header and TLS certificates.
• Module compatibility: Modules referencing Swift_Message or Swift_SmtpTransport will break on PS 9.

# PS 9 internal DSN examples (configured via admin UI)
smtp://user:password@mail.example.com:587      # STARTTLS
smtps://user:password@mail.example.com:465     # Implicit TLS
smtp://your%40gmail.com:app-pass@smtp.gmail.com:587  # Gmail
native://default                                # PHP mail() (not recommended)

After upgrading to PS 9, always re-test email. The Swift Mailer to Symfony Mailer migration can expose edge cases with self-signed certificates, non-standard ports, or loosely implemented SMTP servers.

The Test Email Button

Every PS version has "Send a test email." Use it, but understand it confirms the SMTP connection works — not that the email reaches the inbox. It sends simple text, not the rich HTML of order confirmations. Test with Gmail, Outlook, and your own domain.

Domain Authentication — The Holy Trinity

SPF, DKIM, and DMARC are DNS-based authentication proving your emails are legitimate. Gmail and Yahoo made SPF and DKIM mandatory for bulk senders in February 2024.

SPF (Sender Policy Framework)

SPF tells receiving servers which IPs can send email for your domain — a single TXT record in DNS.

# Basic — allows hosting + Google
v=spf1 include:_spf.google.com include:your-hosting-provider.com ~all

# OVH
v=spf1 include:mx.ovh.com ~all

# Hostinger
v=spf1 include:_spf.hostinger.com ~all

# With Mailgun
v=spf1 include:mailgun.org include:_spf.google.com ~all

Common mistakes:

• Multiple SPF records: Only ONE SPF TXT record per domain. Two records = both invalid. Combine services with multiple include: directives.
• Too many DNS lookups: SPF allows maximum 10 lookups (each include: counts, nested ones too). Use SPF validators to check.
• +all instead of ~all: +all allows everyone to send as your domain. Use ~all (softfail) during setup, then -all (hardfail) for production.
• Forgetting subdomains: SPF for shop.example.com needs its own record — it does not inherit from example.com.

DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to every outgoing email. PrestaShop does not handle DKIM — your hosting provider, SMTP relay, or transactional service does the signing. You publish the public key in DNS.

• Shared hosting (cPanel/Plesk): Usually enabled automatically. Check cPanel → Email Deliverability.
• Gmail/Google Workspace: Admin console → Gmail → Authenticate email. Google provides a TXT record.
• Transactional services: Each provides DNS records during their domain verification wizard.

# DKIM TXT record example
# Name: default._domainkey.yourstore.com (selector varies by provider)
v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...

DMARC (Domain-based Message Authentication, Reporting, and Conformance)

DMARC ties SPF and DKIM together and tells servers what to do when authentication fails.

# Stage 1: Monitor only
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourstore.com;

# Stage 2: Quarantine failures
v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourstore.com;

# Stage 3: Reject failures (maximum protection)
v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourstore.com;

The rua tag sends aggregate reports — XML files showing who sends email as your domain. Use Postmark DMARC monitoring to parse them into readable dashboards.

Recommended rollout: p=none for 2-4 weeks while reading reports. Fix legitimate senders that fail. Move to p=quarantine for 2-4 weeks. Then p=reject. Rushing to reject on day one blocks emails you did not know about.

SMTP Setup for Shared Hosting

Most PrestaShop stores run on shared hosting. Create a dedicated email account (e.g., orders@yourstore.com) and use those credentials.

Provider-Specific Settings

# Generic cPanel
Server: mail.yourstore.com | Port: 587 | Encryption: TLS

# OVH
Server: ssl0.ovh.net | Port: 587 | Encryption: TLS

# Hostinger
Server: smtp.hostinger.com | Port: 587 | Encryption: TLS

# SiteGround
Server: yourstore.com | Port: 465 | Encryption: SSL

# Bluehost
Server: mail.yourstore.com | Port: 465 | Encryption: SSL

Gmail SMTP

Requires an App Password (Google Account → Security → 2-Step Verification → App passwords).

Server: smtp.gmail.com | Port: 587 | Encryption: TLS
Username: your@gmail.com | Password: (16-char App Password)

Limits: Free Gmail: 500/day. Google Workspace: 2,000/day. Sends-too-fast triggers temporary blocks.

Gmail SMTP works for stores under 30 orders/day. Beyond that, hitting limits means customers wait up to 24 hours for order confirmations.

Microsoft 365 SMTP

Server: smtp.office365.com | Port: 587 | Encryption: TLS
Username: your@yourstore.com | Password: account or App Password

Limit: 10,000 recipients/day, 30 messages/minute. Microsoft has increasingly required OAuth over basic SMTP auth — check your tenant settings.

Transactional Email Services

When your store outgrows hosting SMTP, these services provide dedicated high-reputation infrastructure, DKIM signing, bounce handling, and delivery analytics.

When to Switch

• Hitting hosting sending limits
• Emails land in spam despite correct DNS records
• You need delivery tracking and bounce management
• Shared hosting IP reputation is dragging you down

Service Comparison

Mailgun — From $15/mo for 10K emails. Excellent API, detailed analytics. SMTP: smtp.mailgun.org:587.

Postmark — From $15/mo for 10K emails. Highest inbox rates in the industry. Separates transactional from marketing. SMTP: smtp.postmarkapp.com:587. Use Server API Token as username and password.

Amazon SES — $0.10 per 1,000 emails. Cheapest at scale. Create SMTP credentials in SES console (not AWS access keys). New accounts start in sandbox mode. Region-specific server: email-smtp.eu-west-1.amazonaws.com:587.

SendGrid — Free tier: 100/day. Paid from $19.95/mo. Username is literally apikey, password is your API key. SMTP: smtp.sendgrid.net:587. Free tier shared IPs have poor reputation — budget for paid.

Brevo — Free tier: 300/day. Paid from $9/mo. Built-in newsletter/CRM, EU-based (GDPR). SMTP: smtp-relay.brevo.com:587. Has a dedicated PrestaShop plugin.

Recommendation: Brevo if you want marketing email too. Postmark if transactional deliverability is your priority. Amazon SES for high volume on a budget. Mailgun as the all-rounder.

Integration

All work through standard SMTP — no modules required: (1) verify your domain, (2) add their DNS records (SPF, DKIM), (3) generate SMTP credentials, (4) enter in PrestaShop email settings, (5) test.

Self-Hosted Email (Advanced)

Running your own mail server gives complete control — no third-party limits, no per-email fees, full privacy. We run Mailcow ourselves. But the cost in time and expertise is real.

When It Makes Sense

• Privacy: All email data stays on your server. Important under strict GDPR.
• Volume: At 100K+ emails/month, a $40/month VPS beats any transactional service.
• Control: Custom rules, no arbitrary limits, no account suspensions.

When It Does Not

• No sysadmin experience: Misconfigured mail servers are worse than shared hosting.
• New IPs: Building reputation from zero takes weeks. Transactional services give you established reputation immediately.
• No PTR record: Without reverse DNS, most servers reject your email outright.
• Maintenance burden: Patches, certificates, blocklist monitoring, logs — ongoing work.

Options

Mailcow: Docker-based, includes webmail, antispam, antivirus, autodiscover. Needs 4GB+ RAM. Our choice.

Mail-in-a-Box: All-in-one on dedicated Ubuntu server. Simpler but takes over the machine.

iRedMail: Traditional Postfix+Dovecot. Most flexible, lightest, most manual.

Start by running self-hosted email for your own business for 3 months before routing customer store email through it. Build reputation gradually. Keep a transactional service as fallback.

Email Types in PrestaShop

Critical — Must Arrive Immediately

• Order confirmation (order_conf): The most important email. If this lands in spam, expect chargebacks and lost trust.
• Payment confirmation (payment): Customers are anxious until they see this.
• Password reset (password_query): Time-sensitive. If it takes 10 minutes, the customer is gone.
• Account creation (account): First impression of your store.

Important — Should Arrive Promptly

• Shipping notification (shipping): Contains tracking info.
• Order status updates (order_changed): Processing, shipped, delivered.
• Invoice and refund: Needed for B2B and reassurance.

Separate transactional and marketing email. Use your primary domain for order emails and a subdomain (news@mail.yourstore.com) for newsletters. This prevents newsletter spam complaints from damaging your order confirmation reputation.

Templates live in mails/{iso_code}/. Each has an HTML (.html) and plain-text (.txt) version. Always maintain both — a missing plain-text alternative is a spam signal.

Hosting Selection for Email

Shared Hosting Limitations

• Shared IP reputation: You share an IP with 200+ sites. If any sends spam, your email is penalized. You cannot control this.
• Sending limits: Typically 100-500/hour and 500-5,000/day. Flash sales and newsletters burn through this fast.
• No dedicated IP: Not available on shared hosting. Period.
• Limited DNS control: Some cheap hosts restrict custom DKIM, TXT, or PTR records.
• Blocked ports: Some hosts block outgoing 587, preventing connection to transactional services.

VPS Advantages

• Dedicated IP with your own reputation
• No artificial sending limits
• PTR (reverse DNS) record — essential for deliverability
• Full DNS control, any mail server you want

Red Flags

• "Unlimited email": There is no such thing on shared hosting.
• No DKIM support: Walk away.
• Port 587 blocked: Cannot use transactional services.
• Blocklisted IPs: Check at MXToolbox before committing.

Best strategy for shared hosting: skip the host's email entirely. Use a transactional service via SMTP. Your store sends through their high-reputation infrastructure, completely bypassing the shared IP problem.

New in PrestaShop 8 and 9

PS 8: Final Swift Mailer

PS 8 uses the last stable Swift Mailer 6.x. Improved TLS negotiation, better error logs in var/logs/, and email metadata in ps_mail. CLI testing: php bin/console prestashop:mail:test recipient@example.com.

PS 9: Symfony Mailer

Complete transport layer replacement. Key changes:

• Distinguishes smtp:// (STARTTLS, port 587) from smtps:// (implicit TLS, port 465)
• Stricter about envelope sender matching the From header
• Stricter TLS certificate validation — self-signed certs that worked in PS 8 may fail
• Modules using Swift Mailer classes (Swift_Message, etc.) break and need updating

# PS 9 email via environment variables (advanced)
# .env.local — overrides admin panel settings
MAILER_DSN=smtp://user:password@smtp.example.com:587
MAILER_DSN=smtp://user%40gmail.com:app-pass@smtp.gmail.com:587
# Special chars must be URL-encoded: @ = %40, : = %3A

For self-signed certificates in development:

# Disable TLS verification (NEVER in production)
MAILER_DSN=smtp://user:pass@host:587?verify_peer=0

Testing and Monitoring

Pre-Launch

mail-tester.com: Send a test email to their address and get a score out of 10 with specific issues. Aim for 9+. Free for 3 tests/day. Checks SPF, DKIM, DMARC, blocklists, HTML quality, headers, and links.

MXToolbox: DNS diagnostics — MX records, SPF validity and lookup count, DKIM resolution, DMARC policy, blocklist status.

Ongoing

Google Postmaster Tools: Shows spam rate, IP reputation, domain reputation, authentication success from Gmail's perspective. Free, requires domain verification.

Email headers: In Gmail, open email → three dots → "Show original." Look for:

SPF: PASS with IP 1.2.3.4
DKIM: PASS (signature verified)
DMARC: PASS

Schedule: weekly check of ps_mail for failures and DMARC reports. Monthly mail-tester.com and blocklist checks. Re-verify DNS after every change. Test email after every PrestaShop update.

Common Problems and Fixes

"Test Email Works But Customers Don't Receive Orders"

• Template rendering error: A Smarty error in the order template silently prevents sending. Check var/logs/.
• Missing template: The template for the customer's language does not exist in mails/{lang_iso}/.
• SMTP timeout: Large order confirmations (many products) time out on slow SMTP connections.
• From address rejected: SMTP servers that require the From address to match the authenticated user.

Rate Limiting

Importing 200 orders or sending a newsletter to 1,000 subscribers? Your SMTP server accepts the first batch and rejects the rest. Space out sends, check provider limits, or use a transactional service that handles queuing automatically.

Encoding Issues (Polish/Czech/Special Characters)

• Subject line garbled: Ensure your installation uses UTF-8 throughout. Subjects encode in RFC 2047 format.
• Template content broken: Email template files must be UTF-8 without BOM. Windows Notepad can save as ANSI — use VS Code.
• Database mismatch: Tables should use utf8mb4. Check: SHOW CREATE TABLE ps_product_lang;

Emails Blocked After Migration

• SPF not updated with new server IP
• DKIM key mismatch — new host generated new keys
• New IP has no reputation — warm it gradually over 2 weeks
• Port 587 blocked on new host
• DNS propagation — wait 24-48 hours after changes

Contact Form Not Arriving

Some modules set the customer's email as the From address. This fails SPF because your server cannot send from customer@gmail.com. The From should always be your store's domain, with the customer in Reply-To.

Email Deliverability Checklist

Step 1: Foundation

• ☐ Switch from PHP mail() to SMTP
• ☐ Create a dedicated sending address (e.g., orders@yourstore.com)
• ☐ Send test email to Gmail and Outlook — both must arrive in inbox

Step 2: DNS Authentication

• ☐ Add SPF record — verify at MXToolbox, under 10 lookups
• ☐ Enable DKIM and publish key in DNS
• ☐ Add DMARC record with p=none and rua reporting
• ☐ Check email headers — all three must show PASS

Step 3: Quality Check

• ☐ Score 9+ on mail-tester.com
• ☐ IP not on blocklists
• ☐ Templates exist for all languages, both HTML and plain text

Step 4: Real-World Testing

• ☐ Place test order — confirmation email arrives in inbox within seconds
• ☐ Process order through each status — each email arrives
• ☐ Test password reset, account creation, contact form

Step 5: Monitoring

• ☐ Register at Google Postmaster Tools
• ☐ Set up DMARC report processing
• ☐ Upgrade DMARC to p=quarantine after 2-4 weeks, then p=reject
• ☐ Schedule monthly deliverability checks

Step 6: Advanced

• ☐ Migrate to transactional service if hitting hosting limits
• ☐ Separate transactional and marketing email onto different domains
• ☐ Set PTR record if on VPS/dedicated
• ☐ Implement bounce handling

Each layer — SMTP, SPF, DKIM, DMARC, clean templates, reputable IP — adds to your credibility. Skip one and the system weakens. Work through this checklist methodically, test after each change, and your PrestaShop emails will reach the inbox. For general diagnostic steps, see our troubleshooting guide.