NimblyMail SMTP

NimblyMail is a comprehensive SMTP and email logging plugin designed to fix WordPress email deliverability issues. By default, WordPress uses the unreliable PHP mail() function, which often causes emails to land in the spam folder or never deliver. NimblyMail solves this by reconfiguring WordPress to securely route your site’s emails through a proper SMTP server or dedicated email provider.

Whether you need to connect via a standard SMTP host, Gmail OAuth, Microsoft 365 OAuth, Amazon SES, Resend, SendLayer, Brevo, or ZeptoMail, NimblyMail ensures your emails reach the inbox. Plus, with comprehensive email logging, a background queue, a developer sandbox, and an automated deliverability audit, you get full delivery monitoring and one-click troubleshooting.

At a glance

• Nine email providers — SMTP, Gmail OAuth, Outlook / Microsoft 365 OAuth, Amazon SES, Resend, SendLayer, Brevo, ZeptoMail, and PHP mail.
• Free Email Logging — Comprehensive log with search, status filters, and one-click resend of failed emails.
• Background Queue — Defer wp_mail() calls to a non-blocking queue powered by Action Scheduler, with three-tier priority, exponential backoff retries, and admin tools to retry or cancel pending mail.
• Developer Sandbox — Stop staging and local environments from sending real email. Choose Log Only (capture and short-circuit) or Redirect (rewrite every recipient to a single safe address). Optional allowlist for addresses that should bypass the sandbox.
• Deliverability Health Audit — Automated DNS-based audit of SPF, DKIM, DMARC, and PTR for the active sender domain, with scheduled checks and human-readable findings per pillar.
• Clean, Modern Dashboard — Delivery stats, connection health, queue health widget, deliverability summary, and recent activity at a glance.
• Selectively disable WordPress notification emails across 8 categories (over 25 individual triggers).
• Failure alerts delivered via PHP’s native mail() so a broken transport can’t silence them.
• AES-256-CBC credential encryption with optional PHP-constant overrides in wp-config.php.
• First-class WordPress Multisite support with network defaults, per-site overrides, and per-field locks.
• Guided setup wizard with auto-detection and one-click import from existing SMTP plugins.

Supported Email Providers

• Other SMTP — Connect to any SMTP server (Outlook, Office 365, Mailgun, SendGrid, Zoho, etc.)
• Gmail / Google Workspace — Authenticate securely via Google OAuth without managing your own Google Cloud credentials.
• Outlook / Microsoft 365 — Authenticate via Microsoft OAuth and send through smtp.office365.com without registering your own Azure application.
• Amazon SES — Send via AWS Simple Email Service
• Resend — Modern email API for developers
• SendLayer — Transactional email delivery service
• Brevo — Transactional email API (formerly Sendinblue)
• ZeptoMail — Zoho’s transactional email service with regional endpoints
• Default (PHP) — Fallback to the built-in PHP mail function

Email Logging

Every outgoing email is logged with recipient, subject, status, headers, and optional body capture. Search and filter logs by status (sent, failed, pending), resend failed emails with one click, and view full message details in a modal preview.

Background Queue

Turn the queue on under NimblyMail > Settings > Mail Queue and every wp_mail() call returns immediately. Messages are persisted to a database queue, dispatched by Action Scheduler in priority order (high / normal / bulk), and retried with exponential backoff on transient failures. Attachments are staged on enqueue so request-scoped tmp files cannot break delayed delivery. The Queue admin screen lists pending and failed items with retry / cancel actions, and the dashboard surfaces a queue-health widget. Test emails and admin alerts continue to send synchronously by default so you always get immediate feedback.

Developer Sandbox

Working on a staging copy or local clone? Turn on the sandbox to guarantee no real customer ever receives an accidental email. Pick Log Only to capture and short-circuit every wp_mail() call so they show up in the Email Log without leaving the host, or Redirect to rewrite every recipient to a single safe address with the originals preserved in X-NimblyMail-Original-* headers and a configurable subject prefix. An allowlist (exact email or *@domain.com) lets through addresses you do want delivered for testing. Sandboxing is settings-driven, switchable from the Network Admin on multisite, and visible at a glance via an admin-bar badge.

Deliverability Health Audit

NimblyMail runs an automated DNS audit of the active sender domain on a schedule (and on demand) and surfaces the result on the Deliverability page and the dashboard. The audit covers four pillars — SPF, DKIM, DMARC, and PTR — and is mailer-aware: required SPF includes and DKIM selectors are sourced from whichever provider you have configured (Gmail, Outlook 365, SES, etc.), with skip explanations for cases where a check does not apply. Findings are human-readable: each pillar shows pass/warn/fail with a one-line reason and a link to the relevant provider documentation.

Email Controls

Selectively disable WordPress notification emails you don’t need — comment notifications, password reset emails, new user registrations, automatic update notices, and more. Over 25 individual email types across 8 categories can be toggled on or off.

Failure Alerts

Receive instant alerts when emails fail to deliver. Configure alert recipients with optional CC and BCC addresses. Alerts are sent via PHP’s native mail function to bypass the broken transport.

Security

Credentials (SMTP passwords, API keys) are encrypted at rest using AES-256-CBC with HMAC-SHA256 verification. Settings can be locked via PHP constants in wp-config.php, making sensitive fields read-only in the admin UI.

Settings Import

Migrating from another SMTP plugin? NimblyMail automatically detects existing SMTP-plugin configurations and offers one-click import through the setup wizard.

WordPress Multisite

First-class multisite support. Network-activate the plugin once and every sub-site inherits the network defaults until a site admin explicitly overrides a field. Super admins get a Network Admin → NimblyMail surface with an aggregated dashboard, a sites table, per-field locks, and a per-site override editor.

Clean Dashboard

Built with Vue 3 and Ant Design, the dashboard is fast, responsive, and designed to feel native to WordPress. A guided setup wizard helps you configure everything in minutes, while the main dashboard provides a clear overview of your email delivery health.

Development and source code

The complete, human-readable source code for NimblyMail is maintained in the public WordPress.org SVN repository for this plugin. Browse it directly in your web browser via the Trac UI:

• Browse source: https://plugins.trac.wordpress.org/browser/nimblymail-smtp/trunk/
• SVN checkout: svn checkout https://plugins.svn.wordpress.org/nimblymail-smtp/trunk/ nimblymail-smtp

The repository trunk/ directory contains:

• src/ — the PHP backend (PSR-4 autoloaded, plain readable PHP).
• apps/ — the Vue 3 + TypeScript single-page apps (Dashboard, Settings, Email Logs, Tools, Setup Wizard, Network Admin) that get compiled into the minified bundles under dist/.
• package.json, package-lock.json, tsconfig.json, tsconfig.node.json, vite.config.ts — the build configuration needed to reproduce the exact dist/ bundles.
• The current dist/ build output plus per-bundle source-map files (*.js.map, *.css.map).

The minified JavaScript and CSS files under dist/ are produced from the Vue/TypeScript sources under apps/ using Vite. To rebuild them yourself from a trunk/ checkout:

1. From the plugin directory, run composer install to install PHP dependencies (PSR-4 autoloader + Action Scheduler).
2. Run npm install to install the JavaScript build dependencies declared in package.json.
3. Run npm run build to regenerate the dist/ bundle from the apps/ sources. For local development with hot-module replacement, run npm run dev (Vite dev server) after adding define( 'HMR_DEV', 'nimblymail-smtp' ); to your wp-config.php.

How files under `dist/` map to readable source

Inside the SVN trunk/, every minified JavaScript and CSS file under dist/ is accompanied by a .map source-map file (e.g. dist/dashboard.<hash>.js ships with dist/dashboard.<hash>.js.map). The source map fully describes how each minified file was produced from the readable Vue / TypeScript files under apps/, and any modern browser DevTools panel or build tool can use it to inspect the original source line-by-line. The high-level mapping is:

• dist/<entry>.<hash>.js — the entry-point bundle for one of the admin apps. Direct source: apps/<entry>/index.ts (e.g. dist/dashboard.<hash>.js comes from apps/dashboard/index.ts). Entry names are: dashboard, settings, email-logs, queue, tools, wizard, deliverability, network-sites, network-dashboard.
• dist/chunks/<name>.<hash>.js — shared chunks auto-emitted by Vite/Rollup whenever a module is imported by two or more entry points. They contain no plugin-specific code that is not also visible in the readable sources under apps/ (and in node_modules/ for upstream dependencies like Vue, Ant Design Vue, Vue Router, and Pinia). The dist/chunks/AppHeader.<hash>.js chunk in particular bundles the shared admin shell (apps/shared/AppHeader.vue, apps/shared/theme.ts, apps/shared/i18n.ts, the Axios HTTP client in apps/shared/api.ts) together with the Vue runtime and Ant Design Vue components, because every admin page imports them.
• dist/assets/<name>.<hash>.css — compiled CSS extracted from the corresponding Vue Single-File Components under apps/. Source-maps are emitted for these too (*.css.map).

The full version history of the plugin is also browsable on its WordPress.org page at https://wordpress.org/plugins/nimblymail-smtp/.

External services

NimblyMail does not contact any third-party service on its own. Outbound network requests only happen when you actively configure and select a mailer that uses an external provider, and only at the time of sending an email (or, for OAuth providers, when authorizing the connection).

The plugin connects to the following services depending on which mailer you choose. None of these are contacted unless you select that mailer and enter credentials.

• NimblyMail OAuth Proxy (https://oauth.nimblymail.com) — Used only when you choose Gmail or Outlook / Microsoft 365 as your mailer. The proxy is operated by the plugin author (NimblyMail Team) and exists so you don’t have to register your own Google Cloud project or Azure application. Endpoints contacted: https://oauth.nimblymail.com/authorize/{google|microsoft}, https://oauth.nimblymail.com/token/{google|microsoft}, https://oauth.nimblymail.com/refresh/{google|microsoft}, https://oauth.nimblymail.com/revoke/{google|microsoft}. Data sent: your site URL (get_home_url()), an OAuth state value and PKCE challenge generated by the plugin, the authorization code returned by Google/Microsoft after consent, the refresh token (signed with a per-install HMAC secret) on every token refresh. No email content, recipient lists, or message metadata is ever sent to the proxy — actual mail delivery goes directly from your site to Gmail’s / Microsoft’s SMTP servers. NimblyMail Terms of Service: https://nimblymail.com/terms-of-service/ — NimblyMail Privacy Policy: https://nimblymail.com/privacy-policy/

• Other SMTP — When configured, every email is sent over SMTP to the server you specify (host, port, encryption, credentials). The data sent is the email itself: From / To / CC / BCC / Subject / Body / attachments. The remote SMTP server is operated by you or your provider; NimblyMail does not select it.

• Gmail / Google Workspace — Uses Google’s OAuth 2.0 service (via the NimblyMail OAuth Proxy described above) to authorize sending, and smtp.gmail.com:587 (XOAUTH2) to deliver mail. Direct endpoints contacted: https://accounts.google.com/o/oauth2/v2/auth (consent screen), https://www.googleapis.com/oauth2/v2/userinfo (read the authorized email address for the SASL user= field), smtp.gmail.com (SMTP delivery). Data sent directly to Google: the email envelope and message content at send time. Google Terms of Service: https://policies.google.com/terms — Google Privacy Policy: https://policies.google.com/privacy

• Outlook / Microsoft 365 — Uses Microsoft’s OAuth 2.0 service (via the NimblyMail OAuth Proxy described above) to authorize sending, and smtp.office365.com:587 (XOAUTH2) to deliver mail. Direct endpoints contacted: https://login.microsoftonline.com/common/oauth2/v2.0/authorize (consent screen), https://graph.microsoft.com/v1.0/me (read the authorized email address), smtp.office365.com (SMTP delivery). Data sent directly to Microsoft: the email envelope and message content at send time. Microsoft Services Agreement: https://www.microsoft.com/en/servicesagreement/ — Microsoft Privacy Statement: https://privacy.microsoft.com/privacystatement

• Amazon SES — When configured, emails are sent over SMTP to the AWS SES endpoint you select (e.g. email-smtp.us-east-1.amazonaws.com). Data sent: email envelope and content, plus AWS access key ID and secret. AWS Service Terms: https://aws.amazon.com/service-terms/ — AWS Privacy Notice: https://aws.amazon.com/privacy/

• Resend — When configured, emails are sent via HTTPS POST to https://api.resend.com/emails. Data sent: API key, email envelope and content. Resend Terms of Service: https://resend.com/legal/terms-of-service — Resend Privacy Policy: https://resend.com/legal/privacy-policy

• SendLayer — When configured, emails are sent via HTTPS POST to https://console.sendlayer.com/api/v1/email. Data sent: API key, email envelope and content. SendLayer Terms: https://sendlayer.com/terms-of-service/ — SendLayer Privacy Policy: https://sendlayer.com/privacy-policy/

• Brevo — When configured, emails are sent via HTTPS POST to https://api.brevo.com/v3/smtp/email. Data sent: API key, email envelope and content. Brevo Terms of Service: https://www.brevo.com/legal/termsofuse/ — Brevo Privacy Policy: https://www.brevo.com/legal/privacypolicy/

• ZeptoMail — When configured, emails are sent via HTTPS POST to the regional endpoint you select (e.g. https://api.zeptomail.com/v1.1/email, with eu, in, com.cn, or com.au available). Data sent: Send Mail Token, email envelope and content. Zoho Terms of Service: https://www.zoho.com/zeptomail/terms.html — Zoho Privacy Policy: https://www.zoho.com/privacy.html

• Default (PHP) — No external service. Emails are handed to the PHP mail() function and routed by your server.

In addition, NimblyMail logs each outgoing email locally to a database table on your own WordPress site. No log data is ever transmitted off-site.

The Deliverability Health Audit performs DNS-only lookups for the configured sender domain. When the host’s PHP dns_get_record() is unavailable or restricted, NimblyMail falls back to public DNS-over-HTTPS resolvers (https://cloudflare-dns.com/dns-query and https://dns.google/resolve) to retrieve SPF, DKIM, DMARC, and PTR records. Only the sender domain (and DKIM selector when applicable) is sent in the query — no mail content. Cloudflare DoH Privacy: https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/ — Google Public DNS Privacy: https://developers.google.com/speed/public-dns/privacy