Why PHPMailer should be replaced with SMTP

PHPMailer is a code library that sends email messages from a web server via PHP. Although it generally works and you might not have any bad experience with it, PHPMailer is far from perfect.

Why PHPMailer should be avoided

1. No email authentication

The biggest issue with PHPMailer is that it uses no email authentication. Because of that, the emails it sends will in most cases end up in receiver’s spambox. Even if the messages won’t go to spam, the sender will most likely be marked as “not authentic” by Gmail and the receiver will get confused.

2. Easy to exploit by hackers

Since PHPMailer does not require any type of authentication to send emails, it can be easily exploited by hackers. In a case your host is hacked, PHPMailer can easily be used for mass email spam campaigns. That will surely result by your host’s IP being blocked by email providers such as Gmail.

Alternative to PHPMailer

Simple Mail Transfer Protocol (SMTP) is an Internet standard for electronic mail transmission. Unlike PHPMailer, it requires password authentication.

Since SMTP requires password authentication, forcing its usage on the entire host (disabling PHPMailer) will reduce the chances of hackers using your host for spam campaigns. Unless hackers are crafty enough to get your SMTP password(s).

By disabling PHPMailer, you will reduce the amount of malicious traffic towards your server as well, regardless of their actions being successful or not. Spammers will always try to find the easiest target to send spam emails from. They most likely won’t waste their resources on host that has PHPMailer disabled in the first place.

Conclusion

Is SMTP perfect? No, it is not. Both SMTP and PHPMailer had known vulnerabilities in the past. But the fact that email providers are very fond of SMTP, or should I say NOT fond of PHPMailer, cannot be ignored. What also cannot be ignored is the protection by password authentication which SMTP brings.