Recent Problems in the SMTP Service
Recently sites in Seravo’s hosting have suffered from delays in email delivery, affecting our customers on a large scale. Sites’ email traffic has been temporarily halted on all sites using SendGrid’s SMTP service, which is included in our plans by default. Sites that have been configured to use a separate SMTP service have not been affected. Furthermore, our customers’ personal email addresses or messages sent from them have not been affected by these deliverability issues.
By default, SendGrid has been the default SMTP solution at Seravo for a long time, and has been a functional and reliable service with no major service outages. Recent, intermittent albeit temporary disruptions with message flow are due to a change in SendGrid’s policy, whereby the service reacts to spam by blocking all email traffic altogether. These spam messages originate from unsecured forms on individual WordPress sites in our hosting.
Although the recent problems are unlikely to have resulted in lost messages, long delays have occurred in their delivery, causing problems for customers and their sites.
Emails Generated and Sent by WordPress
WordPress sites generate and send emails of various kinds, including but not limited to messages about password resets, WooCommerce order confirmations and contact form notifications. Sadly, spammers and bots can also use unprotected contact forms for sending spam.
While vast majority of sites have properly configured contact forms, unfortunately there are many ways to implement a contact form – and so are the possibilities to spot and abuse vulnerabilities. New exploits are constantly sought for and identified. The fight against spam is justified, but it requires constant improvements, and thus no technology is 100% spam-proof.
Contact Forms Attract Bots
Spam is not typically sent by humans, but by bots that have automated the process. In practice, bots look for any unprotected forms and try to use them to send messages in any way they can. A copy of the contact form email message often ends up only in the inbox of the site administrator. However, oftentimes the form can be set up to send another copy of the message to the “victim’s” email address, which the bot has picked up.
Protect the Contact Forms
A captcha test protects the contact form so that the bots won’t be able to use it for sending spam. You can find various captcha plugins on WordPress.org. If the contact form on your site has been built with a plugin, it’s a good idea to read the instructions or documentation of said plugin for more information on how to protect it.
What’s next?
The encountered email deliverability issues are unfortunate and unexpected, and we are sorry for the inconvenience the problems have caused to our customers. While we have actively sought to prevent their recurrence, the unannounced change in SendGrid’s policies and the resulting problems do not meet our standards of service quality nor reliability, and we are now looking for a replacement.
Plans to replace SendGrid during 2024 had already been made, but due to the significant disruption caused by these issues we are prioritising finding a replacement for the SMTP service as soon as possible. The aim is to ensure that all WordPress sites in our hosting use a solution that is reliable and works within the EU, complying with the GDPR.
This will mean changes to the SPF, DKIM and DMARC records of our customers’ domains. These changes will require careful preparation as we do not want the changes to result in any data loss or other disruption to our customers’ sites’ email traffic at any time.
We will keep our customers informed of the progress of these plans. If you have any questions about the SMTP service, upcoming plans or the deliverablity issues, you can always get in touch with our customer service.
Service Status
For up-to-date information of the status of our hosting services, please visit our status page at status.seravo.com. You can also subscribe to Slack notifications for status updates.