Contact Form 7 sends submissions through WordPress’s wp_mail() function. By default wp_mail() falls back to PHP mail(), which on most hosts produces unsigned messages that land in Gmail’s spam folder or get rejected outright. Routing CF7 through Gmail’s authenticated SMTP relay fixes this; the form’s recipient sees a signed message from a known Google address.
The same setup works for personal Gmail and Google Workspace; the differences between Workspace and free Gmail matter for daily send limits but not for the SMTP configuration itself.
Before you wire CF7 to Gmail
Gmail’s SMTP server is a working transport for low-volume WordPress forms. It is not a A transactional email is the automated message a WordPress site sends in response to a single user action – a password reset, an order confirmation, a form receipt – addressed to the user who triggered it. Read full reference → service, and there are three constraints worth weighing before setup.
Daily send limits. Personal Gmail caps outbound mail at 500 recipients per 24-hour rolling window. Google Workspace allows 2,000 external recipients per day on SMTP relay. Hitting the limit locks the account for 24 hours. A site under sustained spam-form attack can reach 500/day from a single contact form.
Authentication staying alive. Less Secure App (LSA) access was Google's name for the third-party authentication path that used a plain account password against Gmail's SMTP, IMAP, and POP endpoints. Google shut it down for consumer accounts on 30 May 2022 and for Workspace accounts on 1 May 2025; OAuth, App Passwords, or a different sending provider replace it. Read full reference → are revoked whenever the Google account password changes. OAuth tokens survive password changes but require a Google Cloud project to set up. Either method ties the form’s deliverability to one Google account; if that account is a person, the form breaks when the person leaves. A shared Workspace service account is the workable answer for sites that need to survive turnover.
The custom-domain From-address trap. If WordPress is configured to send as [email protected] but the SMTP user authenticating to Gmail is [email protected], Gmail either silently rewrites the From header to [email protected] or rejects the message. For a Workspace account on the form’s own domain, the From and authenticated user match. For personal Gmail relaying mail for a different domain, DMARC alignment breaks at the receiving inbox. See Use Gmail as an SMTP server without OAuth for the full From-address discussion.
For sites where deliverability matters more than the cost saving (commerce, account recovery, anything where a lost message costs a customer), a dedicated transactional email provider is faster to set up than OAuth and does not break on password rotation. Postmark, Resend, and SMTP2GO all integrate with WP Mail SMTP and FluentSMTP through plain SMTP credentials.
Setup
Three components are involved: Contact Form 7 itself, an SMTP plugin (WP Mail SMTP, FluentSMTP, or Post SMTP), and the Gmail account that handles outbound delivery.
1. Install and configure Contact Form 7
The basic CF7 setup is covered in the 
official documentation. The default form’s Mail tab is enough for this guide; the From, To, and Subject headers will be picked up by wp_mail() once the SMTP plugin is in place.
2. Generate a Gmail App Password
App Passwords are 16-character credentials scoped to a single app. Generating one requires 2-Step Verification on the Google account. Full walkthrough: How to set up App Passwords in Gmail.
For a Workspace account, the administrator may have disabled App Passwords at the organisation level. If the App Passwords option is missing despite 2SV being enabled, that is the likely cause.
OAuth is the alternative if the site cannot use App Passwords. Gmail OAuth vs App Passwords covers the choice; for most CF7 deployments App Passwords are the practical default.
3. Configure the SMTP plugin
Install WP Mail SMTP, FluentSMTP, or Post SMTP. Each plugin handles Gmail the same way at the SMTP layer:
| Setting | Value |
|---|---|
| SMTP host | smtp.gmail.com |
| Port | 587 (STARTTLS) or 465 (SSL) |
| Encryption | STARTTLS for 587, SSL/TLS for 465 |
| Authentication | Required |
| Username | The full Gmail address |
| Password | The 16-character App Password |
| From address | Must match the authenticating Gmail account |
WP Mail SMTP exposes a “Google / Gmail” mailer that wraps this in an OAuth flow; for App Passwords, use the “Other SMTP” mailer with the values above. FluentSMTP exposes the same SMTP fields directly.
4. Verify the From address in CF7
Open the form in Contact Form 7 > Mail tab. The From header should be either the authenticated Gmail address or a Workspace “Send mail as” alias that has been verified inside the Gmail account. Setting From to a non-Gmail domain when the SMTP user is a Gmail address is the most common cause of CF7 messages going missing.
5. Send a test submission
Submit the form and confirm the message arrives. If it does not, the SMTP plugin’s log usually carries the Gmail error response.
Common failures
535-5.7.8 Username and Password not accepted. Wrong password, or App Passwords are disabled. Regenerate the App Password and check that 2SV is still enabled. For Workspace accounts, confirm the administrator has not blocked App Passwords.
534-5.7.9 Application-specific password required. The plugin is sending the account’s main password, not an App Password. Switch credentials.
Authentication succeeds but mail does not arrive. Almost always a From/Reply-To mismatch or a DMARC failure at the receiving domain. Check the receiving inbox’s DMARC policy and confirm the From address aligns with the authenticated Gmail account.
CF7 reports “Failed to send your message” with no further detail. CF7 surfaces only a generic error. The SMTP plugin’s log is where the actual Gmail response lands. WP Mail SMTP and FluentSMTP both ship with an email log; enable it before debugging.
When to use a transactional service instead
Gmail SMTP is a working transport for low-volume contact forms on small WordPress sites. It is not the right answer for:
- Sites sending more than a few hundred mails per day (the limit is real).
- Sites where the form is business-critical and cannot break on a Google password reset.
- Sites sending from a custom domain that is not on Google Workspace.
- Sites that need bounce webhooks, suppression lists, or delivery analytics.
For any of those, route CF7 through a transactional email provider using the same SMTP plugin. The configuration shape is identical; only the host, username, and password change. Setup time is comparable to App Password generation, and the credential survives staff and account changes.