PHPMailer issue... (long post)

Hi…So there’s this issue I can’t solve for a couple weeks already. I’m trying to send emails from my website’s form to my Gmail inbox, but it keeps landing up as a dangerous message and into the spam folder.

I’ve done my research and even set up the DKIM on cpanel, and the SPF settings, and telling my gmail account to accept-less-secure-apps as I’ve read from some guidelines.

Nothing has been working for me so far. Which leads me to think that there’s something wrong with my actual code and the way it’s written. Can anybody point me in the right direction?

Here’s the full code, and I’m quite certain there aren’t any typos. I think it’s just the way I’m sending the email that’s causing a problem. But I have no idea what to look for.


use PHPMailer\PHPMailer\PHPMailer;
use PHPMailer\PHPMailer\Exception;
$msg = '';

include_once ''; //connection to database

	if (isset($_POST['confirm'])) {

	$order_number = $_POST['order_number'];
	$fname = mysqli_real_escape_string($conn, $_POST['fname']);
	$lname = mysqli_real_escape_string($conn, $_POST['lname']);
	$num = mysqli_real_escape_string($conn, $_POST['num']);
	$email = mysqli_real_escape_string($conn, $_POST['email']);
	$shipping = $_POST['shipping'];
	$addr1 = mysqli_real_escape_string($conn, $_POST['addr1']);
	$addr2 = mysqli_real_escape_string($conn, $_POST['addr2']);
	$addr3 = mysqli_real_escape_string($conn, $_POST['addr3']);
	$addr4 = mysqli_real_escape_string($conn, $_POST['addr4']);
	$date = $_POST['date'];	
	$u_weight = $_POST['u_weight'];
	$u_qty = $_POST['u_qty'];
	$u_total = $_POST['u_total'];

	$sql = "INSERT INTO orders (order_number, fname, lname, num, email, shipping, addr1, addr2, addr3, addr4, date, u_weight, u_qty, u_total) VALUES ('$order_number', '$fname', '$lname', '$num', '$email', '$shipping', '$addr1', '$addr2', '$addr3', '$addr4', '$date', '$u_weight', '$u_qty', '$u_total');";
		mysqli_query($conn, $sql);

	if (array_key_exists('email', $_POST)) {
    //Load Composer's autoloader
    require '../mailer/vendor/autoload.php';
	$body = "message body here";
		$mail = new PHPMailer(true);                              // Passing `true` enables exceptions
	    try {
	        //Server settings
	        //$mail->SMTPDebug = 1;                                 // Enable verbose debug output
	        $mail->isSMTP();                                      // Set mailer to use SMTP
	        $mail->Host = '';                  // Specify main and backup SMTP servers
	        $mail->SMTPAuth = true;                               // Enable SMTP authentication
	        $mail->Username = '';                 // SMTP username
	        $mail->Password = 'secret';                           // SMTP password
	        $mail->SMTPSecure = 'tls';                            
	        $mail->Port = 587;                                    // TCP port to connect to

	        $mail->setFrom('', 'Sir Francis Fish Gelatine'); //from address must be yourself! otherwise will land in spam folder as forgery
	        $mail->addAddress('', 'Sir Francis Fish Gelatine');     // Add a recipient
	        $mail->addAddress('', 'Asma Moosagie');         // add more than 1 person


	        if ($mail->addReplyTo($_POST['email'], $_POST['fname'].' '.$_POST['lname'])) {
	        $mail->Subject = "Order #".$order_number." received on FishGelatine";
	        //Keep it simple - don't use HTML
	        //Build a simple message body
	        $mail->AddEmbeddedImage('../img/header.png', 'emailheader');
	        $mail->Body = $body;
	        $mail->AltBody = strip_tags($body);

	        $mail->DKIM_domain = "";
	        $mail->DKIM_private = "mailer/rsa.private"; //path to file on the disk.
	        $mail->DKIM_selector = "default"; //use public key in mailer folder and update in CPanel
	        $mail->DKIM_passphrase = "";
	        $mail->DKIM_identify = $mail->From;

	        if (!$mail->send()) {
	            //The reason for failing to send will be in $mail->ErrorInfo
	            //but you shouldn't display errors to users - process the error, log it on your server.
	            $msg = 'Sorry, something went wrong. Please try again later.';
	        } else {
	            header("Location: ../thankyou.php?date=".$_POST['date']."&order=".$_POST['order_number']."&product=".$_POST['u_weight']."&qty=".$_POST['u_qty']."&total=".$_POST['u_total']."&fname=".$_POST['fname']."&lname=".$_POST['lname']."&delivery=".$_POST['shipping']."&addr1=".$_POST['addr1']."&addr2=".$_POST['addr2']."&addr3=".$_POST['addr3']."&addr4=".$_POST['addr4']);
	    } else {
	        $msg = 'Invalid email address, message ignored.';

	    } catch (Exception $e) {
	        echo 'Message could not be sent. Mailer Error: ', $mail->ErrorInfo;
	} else {
	header("Location: ../order.php?error");

If it ends up in your SPAM folder, then there is nothing wrong with your script, because it IS sending the email. Are you using using your gmail account to send the email to yourself or are you using your webserver’s email software to send the message? If you are using gmail to send you the message, it should not be going into the SPAM folder at all (because gmail trusts itself). However, if you are using your hosting server’s email software, then you will have to make sure your SPF records include the range of ip addresses for your webserver.

Thanks for the response. I’m sending the email using my webserver’s email software. The SPF settings for that domain is as follows:
v=spf1 +a +mx +ip4: ~all
It includes Gmail’s ip address (I assume), so I can’t exactly see what’s the problem.

Also, could the attachment embedded inside the email-body be causing any issues at all?

That ip address looks like it might be on a shared hosting plan. There are 620 domains on it. I assume you do not control all of the domains on that server, so it could be another domain using that ip address has been flagged as a spammer, so anything you send would get the same flag.

1 Like

Welcome to the wide crazy world of Email Deliverability! We’ll understand if you want to go home.

On your own account, you can whitelist your mailing from address to make sure it goes through as well as your IP. That way you can ensure you get the emails.

Google doesn’t like shared IPs and will often spam folder them if not completely throw them out. Usually if sending email campaigns to other addresses, you’ll want to use a dedicated IP that can be verified in your DMARC and/or DKIM but you need to have a ESP (email service provider) that has that functionality. It doesn’t generally go well on shared IP.

However, just have the form go to yourself. You’ll need to use a dedicated from address (not the person filling out the form) and in Gmail, whitelist it.

Beaware that Google considers passing persons email address as PII so they can (and often will) flag you on an email field that is not encrypted.

1 Like

Yes. This is a huge spam flag.

1 Like

If you already have a gmail account, I would just send the email to gmail account from your gmail account. Then, you do not have to worry about all of the other stuff (white listing, spf settings, dedicated ip, etc.).

Thanks guys, you both helped me figure out why this is happening. I’m not really computer literate, so a mighty big thumbs up! :slight_smile:

:star::star::star: Thanks for this explanation, I seriously never thought the problem could be with the actual shared hosting plan. I asked my web hosting server if they can dedicate an IP address to my domain, and hopefully that will be the solution. Thanks again :slight_smile: