Other SMTP Authentication Failure Remedy Is Misleading

Near the very bottom of your WP Mail SMTP “Other SMTP” documentation page updated August 19, 2024 in the section titled “Adding A Custom Filter” you state the following:

The WordPress (PHPMailer) uses these auth types in order:

CRAM-MD5, LOGIN, PLAIN, XOAUTH2

If the receiving SMTP server is not configured correctly, it will fail at the first one.

If you’ve covered the two troubleshooting options above, and you’re still receiving the error, you can try adding the following filter:

/* Adding a Custom Filter when using Other SMTP Setting

• Original doc: https://wpmailsmtp.com/docs/how-to-set-up-the-other-smtp-mailer-in-wp-mail-smtp/
*/

add_filter( 'wp_mail_smtp_custom_options', function( $phpmailer ) {
$phpmailer->AuthType = 'LOGIN';
return $phpmailer;
} );

I’m not an email server administrator – I’m a website developer. When I read this suggested fix I thought that the problem was that the receiving SMTP server didn’t have their authentication protocols listed in the same order as the PHP Mailer and that this was the reason for the authentication failure. Fortunately for me I am re-doing the website for the world’s leading authority on email security testing – checktls.com. It was their email server that I could not get WP Mail SMTP authentication to work with. After several hours of testing, the checktls.com email server technicians discovered that their CRAM-MD5 authentication protocol was configured incorrectly.

What caused the authentication failure and how is the order of the authentication protocols in the PHP Mailer relevant? Here’s how the PHP Mailer authentication works:

1. The first protocol in the PHP Mailer list of protocols, which is CRAM-MD5, is used to try and authenticate with the receiving email server. If the receiving email server offers CRAM-MD5 as an authentication protocol, regardless of the order in which the CRAM-MD5 protocol is offered by the receiving email server, the receiving email server attempts to authenticate with the PHP Mailer. If CRAM-MD5 is configured properly on the receiving email server, the authentication succeeds. IF CRAM-MD5 on the receiving email server is configured incorrectly, the authentication fails. Authentication failure has nothing to do with the order of the authentication protocols in either the PHP Mailer or the receiving email server.
2. The suggestion to use the WordPress filter to authenticate using the LOGIN protocol needs to be considered in the context of the security policy that may be in effect for the receiving email server. If the receiving email server security policy is to prefer CRAM-MD5 by listing it as the first authentication protocol to be used, “going around” using encrypted CRAM-MD5 authentication by using the unencrypted, plaintext LOGIN authentication protocol MAY violate the security policy of the receiving email server’s administrators. It is my opinion that if you continue to recommend using the LOGIN WordPress filter that you explain the security implications of doing so.

Based on my experience with checktls.com, it turns out that nothing needed to be changed to modify the behavior of the PHP Mailer. The problem was entirely the result of checktls.com improperly configuring their CRAM-MD5. Once they fixed their CRAM-MD5 configuration issue, WP Mail SMTP was able to authenticate without any problem. I initially installed the WordPress custom filter so that I could circumvent the failing CRAM-MD5 authentication. But this violated the checktls.com SMTP authentication security policy (they prefer to use CRAM-MD5), so I removed the WordPress custom filter and waited for them to fix their CRAM-MD5 configuration.

It is my suggestion that you re-write the “Adding A Custom Filter” section of your “Other SMTP” documentation to reflect how the PHP Mailer and receiving email server SMTP authentication actually work.

The page I need help with: [log in to see the link]