attributes WP

Get Started

2FA Email Not Received

Version: 1.2.1 ProLast Updated: December 2025Difficulty: IntermediateTime Required: 20 minutes

Overview

Two-Factor Authentication relies on email delivery for verification codes. If emails aren’t arriving, users can’t complete login. This guide resolves all 2FA email delivery problems.

Quick Checklist

    • Check spam/junk folder first!
    • Verify correct email address in profile
    • Test with different email provider (Gmail, Outlook)
    • Check 2FA emails enabled in settings
    • Verify SMTP configured (if using SMTP plugin)

Issue 1: Email Goes to Spam

Why It Happens


Common reasons:

    

  • Using default PHP mail() function



    

  • No SPF/DKIM/DMARC records



    

  • Shared hosting with poor sender reputation



    

  • Email content triggers spam filters



    

  • "From" address doesn't match domain

Solution: Configure SMTP

Install SMTP plugin:

Recommended plugins:

  • WP Mail SMTP (most popular)
  • Post SMTP Mailer
  • Easy WP SMTP

Or use services:

  • SendGrid
  • Mailgun
  • Amazon SES
  • Gmail SMTP

WP Mail SMTP configuration:

  • Install WP Mail SMTP plugin
  • Go to WP Mail SMTP → Settings
  • Choose mail service (Gmail, SendGrid, etc.)
  • Enter credentials/API keys
  • Send test email
  • Verify delivery to inbox (not spam)

Configure SPF/DKIM Records

Add DNS records:

SPF Record (TXT):

v=spf1 include:_spf.google.com ~all

DKIM Record (TXT):

Ask your SMTP provider for DKIM key

DMARC Record (TXT):

v=DMARC1; p=none; rua=mailto:admin@example.com

Contact your hosting provider or DNS manager to add these records. They significantly improve email deliverability.

Issue 2: No Email Arrives At All

Symptoms

  • Nothing in inbox
  • Nothing in spam
  • Email simply never delivered

Solution 1: Test WordPress Email

Install Email Log plugin:

  • Install “Email Log” plugin
  • Activate plugin
  • Attempt 2FA login
  • Go to Email Log
  • Check if email was sent by WordPress

If email shows in log:

✓ WordPress sent email

✗ Email server rejected or lost it

→ Configure SMTP (see above)

If email NOT in log:

✗ WordPress never sent email

→ Check 2FA settings below

Solution 2: Verify 2FA Email Enabled

Check plugin settings:

Users → Two-Factor Authentication → Settings

Email Settings:

☑ Send verification codes via email

☐ Don’t send email notifications (disabled)

From Name: [Your Site Name]

From Email: noreply@yoursite.com ← Must match domain

Subject: Your verification code

Solution 3: Check Email Template

Verify template active:

Users → Email Templates

Two-Factor Verification:

Status: ● Enabled ○ Disabled

Test Template:

[Send Test Email]

If test email fails:

  • Check PHP mail() function works
  • Or configure SMTP
  • Check server error logs

Issue 3: Wrong Email Address

Symptoms

  • User says email not received
  • Email actually sent to old/incorrect address

Solution: Update User Profile

Have user update email:

  • User logs into WordPress (without 2FA)
  • Goes to Profile
  • Updates Email Address
  • Clicks “Update Profile”
  • Verifies new email address (if verification enabled)

Admin can update:

  • Admin: Users → All Users
  • Click Edit on user
  • Update Email field
  • Save Changes
Important: If user can’t login due to 2FA, admin must update email address for them.

Issue 4: Verification Code Expired

Symptoms

  • Email arrives late (10+ minutes)
  • Code expired by the time user enters it
  • “Code has expired” error message

Solution 1: Increase Code Validity

Extend expiration time:

Users → Two-Factor Authentication → Settings

Code Validity Period:

[10] minutes ← Increase to 15 or 30

This gives users more time to receive and enter code.

Solution 2: Fix Email Delays

Check email queue:

If using SMTP plugin:

  • Check for email queue/sending limits
  • Ensure immediate sending, not batched
  • Check SMTP server response times

Server cron issues:

WordPress cron (wp-cron.php) may be disabled

Enable cron for immediate email sending:

// Add to wp-config.php

define(‘DISABLE_WP_CRON’, false);

Issue 5: Multiple Codes Sent

Symptoms

  • User receives 5+ verification codes
  • Each code different
  • Confusion about which to use

Solution: Rate Limiting

Configure code generation limits:

Users → Two-Factor Authentication → Security

Rate Limiting:

Maximum codes per user: [3] per 15 minutes

Lockout after: [5] failed attempts

This prevents code spam

Clear old codes:

Only the MOST RECENT code is valid

All previous codes automatically invalidated

Tell users to use latest email only

Issue 6: Email Template Broken

Symptoms

  • Email arrives but looks broken
  • Merge tags not replaced ({verification_code} shown literally)
  • HTML broken or plain text

Solution: Reset Email Template

Restore default template:

  • Users → Email Templates
  • Find “Two-Factor Verification”
  • Click “Reset to Default”
  • Save changes
  • Send test email

Check merge tags:

Required merge tags for 2FA:

{verification_code} ← The actual code

{expiry_minutes} ← Time until expiration

{user_login} ← Username

{site_name} ← Site name

Example template:

Your verification code: {verification_code}

This code expires in {expiry_minutes} minutes.

Issue 7: Firewall Blocking Emails

Symptoms

  • Internal company emails work
  • External emails (Gmail, Yahoo) don’t receive
  • Only affects certain domains

Solution: Check Server Firewall

Common blocks:

  • Port 25 (SMTP) blocked by hosting
  • Port 587 (TLS) blocked by firewall
  • Outgoing email rate limits
  • IP reputation blocks

Contact hosting provider:

Questions to ask:

  • Are outbound emails blocked by default?
  • What ports are open for SMTP?
  • Are there rate limits on emails?
  • Is my server IP blacklisted?
  • Do you recommend specific SMTP service?

Issue 8: Mobile Email Clients

Symptoms

  • Desktop email works fine
  • Mobile app doesn’t show new email
  • Requires manual refresh

Solution: Push Notifications

Email client settings:

Ensure push notifications enabled:

iPhone Mail app:

Settings → Mail → Accounts → Fetch New Data

Enable: “Push” for your email account

Gmail app:

Settings → Your Account → Notifications

Enable: “All new email”

Outlook app:

Settings → Notifications → Email

Enable: “Focused Inbox notifications”

Testing Email Delivery

Comprehensive Test

    • Configure SMTP properly
    • Send test email to yourself
    • Check inbox (should arrive in seconds)
    • Enable 2FA for test user
    • Attempt login with test user
    • Wait for verification email
    • Enter code before expiration
    • Verify successful login

Test Multiple Email Providers

Test with:

✓ Gmail (@gmail.com)

✓ Outlook (@outlook.com, @hotmail.com)

✓ Yahoo (@yahoo.com)

✓ Corporate email (if applicable)

✓ Custom domain email

If some work and others don’t:

→ Indicates spam filter issue

→ Configure SPF/DKIM/DMARC

Emergency Access

User Locked Out Without Email

Admin bypass procedure:

  • Admin: Users → All Users
  • Edit locked-out user
  • Find “Two-Factor Authentication” section
  • Click “Disable 2FA for this user”
  • Save changes
  • Notify user to login (2FA now disabled)
  • User updates email address
  • User re-enables 2FA with correct email
Security Note: Verify user identity before disabling 2FA. This is a security-sensitive operation.

Best Practices

Always Use SMTP

Never rely on PHP mail() for production sites. Always configure SMTP.

Monitor Email Logs

Install Email Log plugin. Review regularly for delivery issues.

Provide Alternative Methods

Consider adding SMS 2FA option for users with email issues.