Skip to content

Adam Greenwell

Email Provider Configuration

Email providers let Guard Dog send two-factor codes and other transactional email through a real mail service instead of hoping your host's default wp_mail() setup is having a good day.

You can use the configured provider for Guard Dog email only, or optionally route all WordPress email through it.

Why Configure an Email Provider?

WordPress default email can be unreliable:

  • Many hosts block or limit PHP mail
  • Messages can land in spam
  • There is usually no delivery log
  • Sender authentication is often weak or missing

Professional email providers give you:

  • Better deliverability
  • SPF, DKIM, and DMARC support
  • Delivery logs and error messages
  • Higher sending limits
  • A more trustworthy sender identity

When You Need This

Configure an email provider if you use:

  • Email-based 2FA
  • Password resets that must reliably arrive
  • Security notifications
  • Optional global wp_mail() replacement for all WordPress email

App-based 2FA and passkeys do not require an email provider.

Supported Providers

Provider Best For Setup Notes
Amazon SES High-volume, low-cost sending Harder Great pricing, more AWS setup.
Mailgun Mature transactional email Medium Good logs and domain tooling.
Resend Simple modern setup Easy A friendly default for most small/medium sites.
SendGrid Established enterprise sending Medium Strong ecosystem and sender tools.
Google Gmail / Google Workspace mailbox identity Medium OAuth recommended; app password supported as legacy mode.

Quick Recommendation

For most sites, start with Resend. Use Amazon SES if cost and scale matter more than setup simplicity. Use Google when messages must come from a Gmail or Workspace mailbox. Use Mailgun or SendGrid if your team already has those providers wired into its world.

Common Fields

Most providers ask for:

  • From Email – The sender address users see
  • From Name – The friendly sender name, such as your site name
  • API key or credentials – Provider-specific secret used to send mail

Use a sender address on a domain you control, such as security [at] yoursite.com or noreply [at] yoursite.com.

Amazon SES Setup

  1. Create or open your AWS account.
  2. Open Amazon SES in the AWS region you want to use.
  3. Verify your sender email or, preferably, your full domain.
  4. Add the DNS records SES provides.
  5. Request production access if your account is still in sandbox mode.
  6. Create an IAM user or credentials with SES sending access.
  7. In Guard Dog, select Amazon SES.
  8. Enter Access Key ID, Secret Access Key, Region, and From Email.
  9. Save settings and send a test email.

SES is very cost-effective, but do not skip production access. In sandbox mode, SES can only send to verified recipients.

Mailgun Setup

  1. Create or open your Mailgun account.
  2. Add your sending domain, such as mg.yoursite.com.
  3. Add Mailgun's DNS records for SPF and DKIM.
  4. Wait for Mailgun to verify the domain.
  5. Create or copy a sending API key.
  6. In Guard Dog, select Mailgun.
  7. Enter API Key, Domain, and From Email.
  8. Save settings and send a test email.

Your From Email should belong to the Mailgun domain or a domain Mailgun is authorized to send for.

Resend Setup

  1. Create or open your Resend account.
  2. Add your domain.
  3. Add the SPF and DKIM DNS records Resend provides.
  4. Create an API key with sending access.
  5. In Guard Dog, select Resend.
  6. Enter API Key and From Email.
  7. Save settings and send a test email.

Resend is usually the easiest provider to get running cleanly.

SendGrid Setup

  1. Create or open your SendGrid account.
  2. Set up sender authentication.
  3. Prefer domain authentication over a single sender when possible.
  4. Create an API key with Mail Send permission.
  5. In Guard Dog, select SendGrid.
  6. Enter API Key and From Email.
  7. Save settings and send a test email.

If emails do not arrive, check SendGrid's activity feed and suppression lists.

Google Setup

Google supports two authentication modes.

  1. In Guard Dog, select Google as the email provider.
  2. Set Authentication Mode to OAuth.
  3. Enter the Google Account Email if it differs from the From Email.
  4. Enter From Email and optional From Name.
  5. Create a Google Cloud project or choose an existing one.
  6. Enable the Gmail API.
  7. Create an OAuth 2.0 Client ID for a web application.
  8. Add the callback URL shown in Guard Dog to the authorized redirect URIs.
  9. Paste the OAuth Client ID and Client Secret into Guard Dog.
  10. Save settings.
  11. Click Connect Google Account.
  12. Sign in to the mailbox that should send email.
  13. Send a test email.

Guard Dog fills the refresh token automatically after the OAuth connection succeeds.

Gmail Alias Tools

If you send from a Gmail or Workspace alias, use:

  • Validate From Alias to confirm the configured From Email exists in Gmail send-as settings
  • Load Gmail Aliases to choose a verified Gmail alias and apply it to Guard Dog

The alias must already exist and be verified in Gmail or Workspace.

App Password Mode

Use App Password mode only when OAuth is not practical.

  1. Enable 2-Step Verification on the Google account.
  2. Generate an app password in Google account security settings.
  3. In Guard Dog, choose Google and App Password mode.
  4. Enter the mailbox, From Email, From Name, and app password.
  5. Save settings and send a test email.

Use for All WordPress Emails

By default, Guard Dog uses the provider for Guard Dog email only. If you enable Use Guard Dog Email Provider for all WordPress emails, Guard Dog intercepts WordPress wp_mail() and sends those messages through your configured provider.

Use this when:

  • Host email is unreliable
  • Password reset emails are not arriving
  • WooCommerce, membership, or form emails need the same authenticated sender
  • You want one transactional email provider for the whole site

Before enabling global override:

  1. Save provider settings.
  2. Send a test email.
  3. Confirm SPF, DKIM, and DMARC are correct.
  4. Test a real WordPress password reset.
  5. Enable the global override only after the provider is proven.

If there is trouble, turn the global override off and WordPress returns to its normal mail path.

Testing

Send a Test Email

  1. Go to Guard Dog -> Settings -> Email Provider.
  2. Enter a test recipient.
  3. Click Send Test Email.
  4. Check the inbox and spam folder.
  5. If it fails, enable Debug logging and review the Email Provider entries.

Test Email 2FA

  1. Configure and test the provider.
  2. Enable email 2FA in Guard Dog -> Authentication -> Two-Factor Authentication.
  3. Enable email 2FA for a test user.
  4. Log out and log back in.
  5. Confirm the code arrives and works.

Troubleshooting

Test Email Not Received

Check these first:

  • Spam folder
  • Provider delivery logs
  • API key permissions
  • DNS records
  • From Email verification
  • Guard Dog debug logs

Provider-specific checks:

  • Amazon SES: Confirm production access, region, and IAM permissions.
  • Mailgun: Confirm API key, domain, and sender domain.
  • Resend: Confirm API key and domain verification.
  • SendGrid: Confirm API key has Mail Send permission and sender is authenticated.
  • Google: Confirm OAuth is connected, refresh token is present, or app password is current.

Wrong Sender Email Appears

Make sure the From Email is verified with the provider. For Google, also confirm the From Email exists as a verified Gmail send-as alias.

Access Denied or Not Authorized

This usually means the provider rejected the credentials or sender.

  • Regenerate the API key or secret.
  • Confirm the API key has send permissions.
  • Confirm the From Email is verified.
  • For Google OAuth, reconnect the account.

Emails Go to Spam

Add SPF, DKIM, and DMARC records. Use a domain sender instead of a personal mailbox when possible, and send a plain, recognizable security email.

Google Alias Validation Fails

The From Email must be listed in Gmail's Send mail as settings for the connected account. Add and verify the alias in Gmail or Workspace, then try Validate From Alias again.

Best Practices

  1. Use a domain sender, not a personal mailbox, unless Google Workspace identity is the point.
  2. Add SPF, DKIM, and DMARC.
  3. Send a test email before enabling email 2FA.
  4. Keep API keys private.
  5. Rotate provider credentials when staff or vendors change.
  6. Enable Debug logging only while troubleshooting.
  7. Keep app-based 2FA or recovery codes available as a backup.
  8. Be careful with the global email override; test first, then flip the switch.

FAQ

Q: Do I need an email provider?

A: Only if you use email 2FA or need more reliable transactional email. App-based 2FA and passkeys do not need it.

Q: Which provider should I choose?

A: Resend for simplicity, Amazon SES for cost/scale, Google for Workspace mailbox identity, and Mailgun or SendGrid if your team already uses those platforms.

Q: Will this affect regular WordPress emails?

A: Not unless you enable Use Guard Dog Email Provider for all WordPress emails. With that setting off, Guard Dog email uses the provider and other WordPress email stays on wp_mail().

Q: Can I switch providers later?

A: Yes. Select a different provider, enter its credentials, save, and send a test email.

Q: Can I use Gmail?

A: Yes. Use Google OAuth when possible. App Password mode exists for legacy setups, but OAuth is the better long-term path.

Q: What happens if email sending fails during email 2FA?

A: The user cannot complete email 2FA until delivery works. Keep recovery codes, app-based 2FA, or an admin recovery process available.

← Temporary User Access | Documentation Home | FAQ →