SMTP for Magento 2 — Reliable Email Relay with OAuth2 & Logging
SMTP routes your Magento 2 transactional email through a real mail provider instead of the unreliable PHP mail() function — so order confirmations, password resets and invoices actually reach the inbox. Pick from 19 one-click provider presets, authenticate with LOGIN, PLAIN, CRAM-MD5 or modern …
If your order emails land in spam, you lose the sale's trust
Out of the box, Magento hands your email to PHP's mail() function — which has no authentication, no deliverability reputation, and no way to tell you when a message vanished. Order confirmations land in spam, password resets never arrive, and you only find out when a customer emails to ask where their receipt is. SMTP routes every message through a real mail provider with proper authentication, so your transactional email actually reaches the inbox — and logs every send so you can prove it did.
What you'll use it for
- Fix deliverability — move off
mail()to an authenticated provider so order, invoice and reset emails reach the inbox. - Connect Gmail or Microsoft 365 securely — use OAuth 2.0 instead of app passwords, which both providers are phasing out.
- Audit what was sent — open the email log to see, preview and resend any message a customer says they never received.
- Protect your staging site — switch on dev mode so a test environment never accidentally emails real customers.
How it works
Works with the provider you already use
Nineteen presets cover the major providers (including four Amazon SES regions). Select one and the host, port, security and authentication fields fill themselves — or enter your own server by hand. Whatever you choose, you can add a plain-text alternative part to improve spam scoring, set a global CC/BCC for archiving, and define a Return-Path for bounce tracking.
Secure by design
Built on a modern Symfony mail transport — no shelling out, no plaintext secrets. SMTP passwords, OAuth client secrets and refresh tokens are all stored encrypted in Magento's standard config encryption, never in plain text. For Gmail and Microsoft 365 it uses OAuth 2.0 (XOAUTH2): you supply a long-lived refresh token once and the module exchanges it for short-lived access tokens automatically, so there's no app password to leak. The connection uses TLS or SSL, and a developer mode can suppress real delivery on staging while still allowing an allow-list of addresses through.
Specifications
| Provider presets | 19 (Gmail, Microsoft 365, Outlook, 4× Amazon SES regions, SendGrid, Mailgun, Postmark, Mailjet, Brevo, SparkPost, Mandrill, Zoho, Yahoo, SMTP2GO, Elastic Email, OVH) |
|---|---|
| Security | TLS, SSL or none — ports 587 / 465 / 25 and custom |
| Authentication | LOGIN, PLAIN, CRAM-MD5, OAuth 2.0 (XOAUTH2) for Google and Microsoft |
| Credentials | Passwords, OAuth secrets and refresh tokens stored encrypted |
| Testing | Built-in test-email button |
| Email log | Log all sends with preview, single & bulk resend, delete, and auto-clean after N days |
| Email options | Plain-text part, sender override, global CC/BCC, Return-Path |
| Dev mode | Disable real delivery with allow-listed exception addresses/domains |
| Delivery & licence | Composer install, per-domain licence key, updates via Composer |
Works with
Part of the AgenticEcom suite for Core & System:
Underpins every email the suite sends — failure alerts, ticket replies, form notifications. Included in the Growth and Enterprise bundles.
Frequently asked questions
Why won't Magento's default email reach the inbox?
By default Magento uses PHP's mail(), which sends unauthenticated mail with no provider reputation — so it's frequently filtered to spam or rejected. Routing through an authenticated SMTP provider gives your mail proper credentials and a sending reputation, which is what mailbox providers trust.
Can I connect Gmail or Microsoft 365 with OAuth instead of a password?
Yes. Choose OAuth 2.0 (XOAUTH2), pick Google or Microsoft, and supply your app's client ID, secret and a refresh token. The module exchanges the refresh token for short-lived access tokens automatically — no app password required.
Can I see and resend emails that have been sent?
Yes. With email logging on, every outgoing message is recorded. You can preview the exact email, resend a single message or many in bulk, and auto-clean old logs after a number of days.
How do I stop a staging site emailing real customers?
Turn on developer mode to disable actual delivery. You can still allow specific email addresses or whole domains through, so your team receives test mail while customers never do.
Which Magento and PHP versions are supported?
Magento Open Source 2.4.9 and later 2.4.x, verified on PHP 8.4 and 8.5.