You filed your DKIM record, set up SPF, configured DMARC, and your transactional emails are still landing in spam folders. There is a good chance the cause is not your mail setup. It is your contact form quietly relaying spam through your domain.
The hidden relay problem
Most WordPress sites send mail directly from the web host using PHP’s mail() function or a basic SMTP plugin. Every contact form submission that gets accepted ends up as an outbound email — to you, with the visitor’s content. That message looks, from a mail-server reputation standpoint, like it came from your domain.
When the visitor is a spammer, what they typed in the message field is now an outbound email from your domain to your inbox, containing links to dating sites or crypto scams. Mailbox providers — Gmail, Outlook, Apple — score that against your domain. Enough of it, often enough, and your sender reputation drops.
How to tell if this is happening to you
Three signs:
- Your contact-form notification emails now go to your own spam folder, not your inbox.
- Your order confirmations or password resets get reported as junk by customers.
- Google Postmaster Tools shows a falling “domain reputation” score over the past 90 days.
None of these are conclusive on their own. All three at once is a strong signal that you are relaying spam content through your forms.
Why standard anti-spam plugins miss this
Most anti-spam plugins decide whether the submission is spam. They do not look at what happens after. If the submission gets accepted, the email still leaves your server with the spammy content intact. The reputation damage is identical to if the plugin had not been installed.
What actually fixes it
The fix has two pieces:
- Filter the inbound submission using AI intent scoring (so realistic-looking spam still gets caught).
- Guard the outbound mail — even for submissions that look borderline. Hold the outbound email for review instead of relaying spam content automatically.
That second piece is the part nobody talks about. It is the difference between “we blocked the spam” and “we did not damage the domain”.
QWeb Spam Shield has Mail Guard for exactly this
Spam Shield filters the submission with AI scoring and holds suspicious outbound mail before it leaves your server. The reputation hit you would have taken from relayed spam never happens. It is the bit other plugins miss.
If you do nothing else this month
Sign up for Google Postmaster Tools and add your domain. It takes ten minutes. Once your domain has 24 hours of data, you will see a clear graph of how Gmail rates your sending reputation. If the trend is down, this article is for you. If it is flat and high, you are probably fine — but watch it, because the trend tends to drift slowly over a year until the day it does not.
Deliverability is one of those problems that looks like a mail-server problem and is almost always a content problem. The content is what is leaving your forms.