Improve email deliverability in concrete5 with Gmail SMTP server and 2FA enabled
On any website, using any CMS, sending emails with the default PHP mail() function is a recipe for disaster. More often than not emails don’t get delivered or end up flagged as spam. As usual, concrete5 has your back. You can easily set up an SMTP server and drastically improve the reliability and deliverability of your emails. And using Gmail’s SMTP server you can even do it for free.
Benefits of using Gmail SMTP
- Deliverability and reliability: By using Gmail SMTP you will improve your emails deliverability and they will be less likely to end up in the spam folder
- Storage: Gmail can store and index the emails you send via its SMTP server. They will be searchable all in one convenient place and you won’t risk losing them
- Volume: With a free Gmail account, you can send up to 500 emails per rolling 24-hour period
- Paid volume: With a paid G Suite account ($5 per month) you can send up to 2,000 emails per rolling 24-hour period
I’d suggest using a Gmail SMTP with a free account is a good idea if your goal is simply to receive messages sent to you by users of your site. Nothing is worse than being contacted by a potential client and not getting the message and Gmail SMTP server can save you that embarrassment.
For other purposes, maybe ponder the limitations and drawbacks before making a decision.
Limitations of Gmail SMTP
- From address: With a free Gmail account, you can only send emails from a Gmail email (you@gmail.com)
- If you try to send more emails than allowed per 24-hour rolling period Gmail might very well disable your account
- If you send too many emails to bogus addresses your account might also get disabled
If you’d like to know more about potential drawbacks you can read this article.
check what happens with c5 from email settings and eventually add a part about setting up your emails
Setting your default “From” email in concrete5
As explained above, if you’re using a free Gmail account your “From” email address has to be a Gmail address, preferably the one linked to the account you’re using in your settings.
It is then important to set your “From” email in concrete5 so it is used automatically and your emails don’t get rejected.
Navigate to your dashboard’s page /dashboard/system/mail/addresses or alternatively, type “system email” in your intelligent search box and look for “System Email Addresses” and you’ll get there.
Populate at least your “Default” email address, your "Forgot Password“ address, and your ”Form Block” address. For the rest populate the ones you think you might need or play it safe and just do them all.
Setting up Gmail SMTP in concrete5
Setting up Gmail SMTP in concrete5 is a breeze. Whether you have 2-Factor Authentication (2FA) enabled on your Gmail account or not, the settings are all the same except for the password.
Simply navigate to your dashboard’s SMTP Method page /dashboard/system/mail/method or alternatively, type “SMTP” in your intelligent search box and you’ll find it.
When you reach that page (screenshot below) make sure you enable SMTP and set it to use an external SMTP server.
The settings should be populated as follow:
- Mail Server: smtp.gmail.com
- Username: your Gmail account’s username
- Password: Your Gmail account’s password
- Encryption: either TLS (preferred) or SSL
- Port: 587 for TLS or 465 for SSL
Concerning the encryption, long story short TLS is more secure than SSL. If you want to know more feel free to read this article to understand the differences between SSL & TLS.
Now click on the bottom-left “Test Settings” button and send a test email.
If it works you’re all set.
I have to point out that if it works it means you didn’t enable 2FA on your Gmail account 😱 and you’re taking incalculable risks that I wouldn’t wish upon my worst enemy. That’s just crazy behavior. Seriously!
If it fails, there’s a probability you forgot 2FA was enabled on your Gmail account and there’s an extra step to take.
Dealing with 2-factor authentication
So you take security seriously and you have 2FA enabled on your Gmail account. Good for you!
In that case, follow these steps:
From your Gmail account click on your avatar in the top-right corner then click on the button “Manage your Google Account”.
In the new page that opens click on “Security” in the left-hand menu.
There, under “Signing in to Google” click on “App passwords”.
You will be asked to confirm your Gmail password for security reasons.
In the new page, under “Select App” click on “Other (Custom Name)”.
Give your app a meaningful name, for instance, the name of your website. Then click on “Generate”.
Gmail will give you a 16-digit code that you must use in concrete5 instead of the normal Gmail password. I suggest you copy and paste it. If you decide you absolutely need to type it manually, do not include the spaces every 4 digits.
When you’re done and you close that popup you’ll see your app listed. As long as you need it in your concrete5 website, don’t delete it.
Use the 16-digits code you just generated in concrete5 in your SMTP settings page in place of the normal Gmail password.
Finally, run your test again.
Where to go from here?
This is not only a total plug; it is also barely only semantically related to this post so all my apologies but please bear with me. It is something of a public safety announcement.
2-Factor Authentication is paramount. It is one more shield between you and the loss of your accounts to malevolent hackers. That also includes losing access to and control of your concrete5 website, your business, your clients.
2FA is an extra level of security that’s dependent on something you own (your phone) added to something you know (your password). To break into a 2FA secured website the hacker would have to know your password AND have your phone, making it all the harder to circumvent.
I urge you to have a look at my concrete5 package “Two-Factor Login Security” to install 2FA on your website and enable it on all your and your users’ accounts. The plugin’s demo page is also pretty nifty if I may say so myself.
