Plugin renamed to Casa Mail. The mail gateway is unchanged, but stored option keys moved to a new prefix, so the plugin re-runs its one-time onboarding after this upgrade. Reconnect from the Casa Mail admin page if prompted.<\/p>","1.3":"
Plain-English rewrite of the "Sender domain" wizard step. No data migration; existing tenants see the new UX on their next admin visit.<\/p>","1.2":"
After verifying your own domain, customer emails now go from Adds the per-tenant Casa Mail inbox: every wp_mail() now goes from First stable release. Submitting to the WordPress.org plugin directory. Existing installs upgrade in place; no data migration required.<\/p>","0.5.0":" Adds the "Use shared sender" opt-out so tenants who don't want to publish DKIM\/SPF\/RP records can send via Support contact swapped to WordPress.org pre-submission cleanup: separate notice-dismiss JS instead of inline ``, gateway-routed deletion request, dropped unused AJAX endpoints.<\/p>","0.4.0":" WordPress.org compliance release. Adds readme.txt, privacy registration, full translatability (8 locales bundled), modal-based confirmations, and a self-serve account-deletion request. Existing installs are upgraded in place; no data migration required.<\/p>"},"ratings":[],"assets_icons":{"icon-128x128.png":{"filename":"icon-128x128.png","revision":3562067,"resolution":"128x128","location":"assets","locale":"","width":128,"height":128},"icon-256x256.png":{"filename":"icon-256x256.png","revision":3562067,"resolution":"256x256","location":"assets","locale":"","width":256,"height":256}},"assets_banners":{"banner-1544x500.png":{"filename":"banner-1544x500.png","revision":3562067,"resolution":"1544x500","location":"assets","locale":"","width":1544,"height":500},"banner-772x250.png":{"filename":"banner-772x250.png","revision":3562067,"resolution":"772x250","location":"assets","locale":"","width":772,"height":250}},"assets_blueprints":{},"all_blocks":[],"tagged_versions":["1.0","1.4.1"],"block_files":[],"assets_screenshots":{"screenshot-1.png":{"filename":"screenshot-1.png","revision":3562067,"resolution":"1","location":"assets","locale":"","width":3194,"height":1506},"screenshot-2.png":{"filename":"screenshot-2.png","revision":3562067,"resolution":"2","location":"assets","locale":"","width":3192,"height":1444},"screenshot-3.png":{"filename":"screenshot-3.png","revision":3562067,"resolution":"3","location":"assets","locale":"","width":3194,"height":1694}},"screenshots":{"1":"Dashboard with daily-cap stat card and recent sends panel.","2":"Email Gateway Settings","3":"Email Sent Logs"}},"plugin_section":[],"plugin_tags":[17561,267,6696,48586,6695],"plugin_category":[41],"plugin_contributors":[265958,265942],"plugin_business_model":[],"class_list":["post-322319","plugin","type-plugin","status-publish","hentry","plugin_tags-deliverability","plugin_tags-email","plugin_tags-smtp","plugin_tags-transactional-email","plugin_tags-wp_mail","plugin_category-communication","plugin_contributors-codecasastudios","plugin_contributors-sendemailtoday","plugin_committers-sendemailtoday"],"banners":{"banner":"https:\/\/ps.w.org\/casa-mail\/assets\/banner-772x250.png?rev=3562067","banner_2x":"https:\/\/ps.w.org\/casa-mail\/assets\/banner-1544x500.png?rev=3562067","banner_rtl":false,"banner_2x_rtl":false},"icons":{"svg":false,"icon":"https:\/\/ps.w.org\/casa-mail\/assets\/icon-128x128.png?rev=3562067","icon_2x":"https:\/\/ps.w.org\/casa-mail\/assets\/icon-256x256.png?rev=3562067","generated":false},"screenshots":[{"src":"https:\/\/ps.w.org\/casa-mail\/assets\/screenshot-1.png?rev=3562067","caption":"Dashboard with daily-cap stat card and recent sends panel."},{"src":"https:\/\/ps.w.org\/casa-mail\/assets\/screenshot-2.png?rev=3562067","caption":"Email Gateway Settings"},{"src":"https:\/\/ps.w.org\/casa-mail\/assets\/screenshot-3.png?rev=3562067","caption":"Email Sent Logs"}],"raw_content":"\n Casa Mail intercepts If your Wordpress site doesn't send emails yet, Casa Mail is the perfect solution to start sending with no technical experience or SMTP API keys. Already send mail? Switch to Casa Mail, save money and improve deliverability.<\/p>\n\n The plugin is intended for sites that want an easy, hassle free wp_mail setup! Improve deliverability of order confirmations, password resets, account-verification emails, and similar transactional traffic with our built-in SMTP server. It does not change anything about how WordPress queues mail; it only changes how the SMTP step is performed.<\/p>\n\n After activation, an in-WordPress wizard collects:<\/p>\n\n This plugin is not affiliated with or endorsed by WooCommerce, Automattic, or any third party. The WooCommerce name appears only as a compatibility note (when WooCommerce is detected, the plugin's admin menu attaches under it for convenience; otherwise it lands under Settings).<\/p>\n\n This plugin transmits data to a third-party SMTP gateway. WordPress.org policy requires this be disclosed.<\/p>\n\n The plugin makes HTTPS requests to:<\/p>\n\n The gateway is operated by CodeCasa Studios under the Casa Mail brand and runs on the OnlineStoreNotifications infrastructure. Casa Mail and OnlineStoreNotifications are sister brands of the same company; the API hostname reflects the shared backbone rather than a third-party dependency.<\/p>\n\n During onboarding (one-time, before any send): site administrator email address, site name, site URL.<\/p>\n\n For each When activated, this plugin transmits email content (recipient, sender, subject, body, headers) to a third-party SMTP gateway for delivery. This is the plugin's only purpose. The data lifecycle is described above under \"External services\" and on the linked privacy policy.<\/p>\n\n The plugin also writes a Account deletion: a \"Request account deletion\" button on the plugin's Settings page emails the gateway operator. Upon confirmation, the tenant record, API key(s), domain-authentication records, and recent sending history are removed from the gateway side. The plugin uninstall additionally removes the plugin's WordPress-side options + tables.<\/p>\n\n\n The plugin requires PHP 7.4 or newer and WordPress 6.0 or newer.<\/p>\n\n\n Yes. The plugin hooks Calls land in a durable retry outbox and a 60-second cron drains them with 30s \/ 2m \/ 10m backoff. After three failed retries the row is marked failed and preserved for diagnosis. If the site has verified a sender domain through the plugin's Sender Domain page, the plugin rewrites the From address to The dashboard's \"Recent sends\" panel lists the most recent 10 wp_mail() calls intercepted by the plugin. The Logs page extends this to the last 200. Rows older than 30 days are pruned automatically.<\/p><\/dd>\n Settings -> Delete my account -> Request account deletion. This emails the gateway operator who removes the tenant + API key + history within 48 hours and replies to the contact email on completion. The plugin uninstall (Plugins -> Delete) handles the WordPress-side cleanup.<\/p><\/dd>\n No. WooCommerce is an Automattic trademark and this plugin is not endorsed by or affiliated with Automattic. The plugin only mentions WooCommerce as a compatibility note (the admin menu nests under WooCommerce when present, for ergonomic reasons).<\/p><\/dd>\n\n<\/dl>\n\n\n Renamed the plugin to Casa Mail (display name and slug). No functional change to mail handling - the same CodeCasa-operated transactional gateway on the OnlineStoreNotifications backbone. WordPress option keys, the outbox table, and the sends-log table now use the Sender Domain page no longer shows the yellow \"Using Cloudflare?\" advice boxes once a record is OK. They were setup hints meant for users who hadn't added the entries yet; sitting next to a green VERIFIED pill they made it look like something was wrong. Now hidden per-record: the apex \"trim the dot\" hint hides once overall status is WordPress.org Plugin Check pass. All ERROR-level findings resolved: Dashboard banner (\"Sending from the shared sender\") no longer hardcodes Step 3 (\"Your inbox\") no longer pre-locks the domain in the customer's mental model. The preview now reads Step 5 (the sender-domain choice) now shows the user's actual inbox slug + addresses instead of generic placeholders. The page leads with \"Your inbox name is Wizard step 5 (\"Sender domain\") rewritten for non-technical users:\n* Step heading is now \"Where should your emails come from?\" instead of \"Authenticate your sender domain\".\n* Two equal-weight side-by-side cards present the choice as either\/or, not as \"do this complex thing OR skip it\". One card is \"Use the Casa Mail address\" (easiest), the other is \"Use your own domain\" (on-brand). On phones the cards stack.\n* Domain input field is hidden until the user picks \"Set up my own domain\" - clicking the card's button reveals a small inline form. Keeps the choice screen uncluttered.\n* DNS-records copy after provisioning uses plain English: \"Add these 3 entries to your domain settings\" instead of \"Publish these 3 DNS records\". Mentions Cloudflare \/ GoDaddy \/ Namecheap \/ Google Domains by name so users recognise where they're going. \"Verify DNS\" button relabelled \"Check my domain\".\n* SPF helper text explains the \"merge into existing v=spf1 record\" instruction in plain English.\n* Cloudflare grey-cloud tip explains why (not just \"set to DNS only\") - replies coming back from your customers depend on it.\n* The duplicate \"Use shared sender\" button in the wizard footer is gone - the shared-sender path is now one of the two main cards. The footer now shows only \"I will decide later\" + the post-verify \"Finish\" CTA.<\/p>\n\n Per-tenant inbox feature (foundation for the paid webmail tier):\n* Every onboarded tenant now gets their own inbox at First stable public release. Consolidates the 0.4.x WordPress.org compliance work and the 0.5.0 shared-sender feature, plus two correctness fixes shipped during end-to-end testing:\n* Onboarding submenu is now registered even when the plugin is already onboarded - the wizard URL gracefully renders the \"Setup is already complete - Open dashboard\" branch instead of WP's bare \"not allowed\" page when the admin_init redirect races a page-cache or back-button.\n* Stale-clone fix on the standalone Sender Domain page: the verified-state celebration banner (cloned from a template with the @yourdomain.com<\/code> (matching your Casa Mail inbox name) instead of noreply@yourdomain.com<\/code>. Replies still route through your OSN inbox so the free-tier auto-forward + future webmail tier both work the same.<\/p>","1.1":"@onlinestorenotifications.com<\/code>, with auto-forwarded replies to your contact email. Existing installs upgrade in place; the gateway backfills a mailbox slug on next plugin OTP-verify.<\/p>","1.0":"noreply@onlinestorenotifications.com<\/code> instead. New Reply-To header preserves the original caller's From so customer replies still reach the right mailbox.<\/p>","0.4.2":"support@onlinestorenotifications.com<\/code> so deletion requests and error messages route to the already-active OSN mailbox.<\/p>","0.4.1":"wp_mail()<\/code> and delivers each message through the Casa Mail transactional email service operated by CodeCasa Studios on the OnlineStoreNotifications infrastructure (api.onlinestorenotifications.com).<\/p>\n\nHow it works<\/h4>\n\n
\n
pre_wp_mail<\/code> is hooked at priority 1. Each call is converted to a JSON payload and POSTed to the gateway.<\/li>\nwp_mail()<\/code> returns true and the message is durably enqueued upstream.<\/li>\n<prefix>casamail_outbox<\/code>) and a cron tick retries with 30s, 2m, 10m backoff.<\/li>\n<prefix>casamail_sends<\/code>) records every attempt for visibility on the plugin dashboard. Rows older than 30 days are pruned automatically.<\/li>\n<\/ul>\n\nOnboarding<\/h4>\n\n
\n
Trademark note<\/h4>\n\n
External services<\/h3>\n\n
Endpoints contacted<\/h4>\n\n
\n
https:\/\/api.onlinestorenotifications.com\/v1\/onboard\/request<\/code> \u2014 during onboarding, to send your verification email.<\/li>\nhttps:\/\/api.onlinestorenotifications.com\/v1\/onboard\/verify<\/code> \u2014 during onboarding, to confirm the code and provision an account.<\/li>\nhttps:\/\/api.onlinestorenotifications.com\/v1\/send<\/code> \u2014 for every wp_mail()<\/code> call once the plugin is onboarded.<\/li>\nhttps:\/\/api.onlinestorenotifications.com\/v1\/email\/domain<\/code> (GET \/ add \/ verify) \u2014 when the site administrator interacts with the Sender Domain page.<\/li>\n<\/ul>\n\nData sent<\/h4>\n\n
wp_mail()<\/code> call once onboarded: sender email address, sender name, recipient email address(es), subject, message body, message headers (after stripping From<\/code>\/To<\/code>\/Subject<\/code>\/Date<\/code>\/Message-ID<\/code>\/MIME-Version<\/code>\/Content-Type<\/code>\/Content-Transfer-Encoding<\/code>).<\/p>\n\nTerms and privacy<\/h4>\n\n
\n
Privacy<\/h3>\n\n
wp_add_privacy_policy_content()<\/code> block describing what is transmitted; this lets site administrators include the disclosure in the WordPress-managed privacy policy page (Settings -> Privacy).<\/p>\n\n\n
casa-mail<\/code> into wp-content\/plugins\/<\/code>.<\/li>\n\n
Does this replace existing SMTP plugins?<\/h3><\/dt>\n
pre_wp_mail<\/code> at priority 1, which runs before most SMTP plugins. For predictable behaviour, disable other mail routers (FluentSMTP, WP Mail SMTP, etc) when this plugin is active.<\/p><\/dd>\nWhat happens if the gateway is unreachable?<\/h3><\/dt>\n
wp_mail()<\/code> always returns true (the plugin guarantees zero-loss + zero-blocking).<\/p><\/dd>\nHow is the From: address handled?<\/h3><\/dt>\n
noreply@<verified-domain><\/code> so DKIM aligns. If the caller (WooCommerce, WordPress core, etc) already supplies a From address inside the verified domain, that address is honored. A \"Default From\" override is also available on the Settings page.<\/p><\/dd>\nWhere can I see what was sent?<\/h3><\/dt>\n
How do I delete my account?<\/h3><\/dt>\n
Is this affiliated with WooCommerce?<\/h3><\/dt>\n
1.4.0<\/h4>\n\n
casamail_<\/code> prefix; the admin menu pages, AJAX actions, cron hooks, script handles, and PHP namespace were prefixed to match. Existing installs re-run onboarding once after upgrade because the stored option keys changed prefix.<\/p>\n\n1.3.5<\/h4>\n\n
verified<\/code>, the Return-Path \"set to DNS only\" hint hides once that individual record's status is OK<\/code>.<\/p>\n\n1.3.4<\/h4>\n\n
translators:<\/code> comments added on the two placeholder-bearing translation strings; output escaped in the dashboard stat cards (esc_html(number_format_i18n(...))<\/code>); parse_url()<\/code> replaced with wp_parse_url()<\/code>; $wpdb->prepare()<\/code> brought to the OUTBOX_TABLE INSERT; Tested up to<\/code> bumped to 7.0. Removed load_plugin_textdomain()<\/code> (auto-loaded on WP.org since 4.6). Added phpcs:disable<\/code> blocks with documented rationale for the false-positive WARNING-level findings: NonceVerification on AJAX handlers (the nonce IS verified - in ajax_guard()<\/code>, just not inline), DirectDatabaseQuery + InterpolatedNotPrepared on the plugin's own custom tables (table names are hard-coded class constants, no user input, no object-cache layer for transmit logs), and PrefixAllGlobals on template files whose locals come from extract()<\/code>. Bootstrap rewritten to use a closure so no $set_gateway<\/code> global leaks into the WordPress namespace.<\/p>\n\n1.3.3<\/h4>\n\n
noreply@onlinestorenotifications.com<\/code> - it now shows the tenant's actual <slug>@onlinestorenotifications.com<\/code> address (the inbox they picked at Step 3), matching what customers actually see in the From line. Fallback is the legacy noreply@<\/code> for tenants on installs older than 1.1 who don't have a mailbox_slug yet.<\/p>\n\n1.3.2<\/h4>\n\n
slug@...<\/code> (with a literal ellipsis after the @<\/code>), and a short helper line tells them Step 5 is where they pick the actual domain (the shared one, or their own). The host hint next to the rename input is also @...<\/code>. Step 5 \"Use this address\" button no longer pops a confirmation modal - the card already explains the trade-offs, the second confirmation was pure friction; the click now fires the AJAX straight away. Stale \"noreply@\" copy in the populated Sender Domain page banner and the success notice is gone; both now use the tenant's actual slug address. Translated into all 8 bundled locales.<\/p>\n\n1.3.1<\/h4>\n\n
acmestore<\/code>. Where would you like to use it?\" and each choice card previews the literal address customers will see (acmestore@onlinestorenotifications.com<\/code> or acmestore@yourstore.com<\/code>). Inline domain-input form's example also uses the user's slug. SG.mailboxSlug + SG.mailboxEmail stay in sync through OTP verify + rename so step 5 always reflects the chosen slug, even if the user renamed in step 3.<\/p>\n\n1.3<\/h4>\n\n
1.2<\/h4>\n\n
\n
mailbox_slug<\/code> as the From local-part on their own verified domain too, not just on the OSN side. Onboarding picks (or the user renames) acmestore<\/code> as the inbox handle, and from then on customer-facing emails go from acmestore@theirdomain.com<\/code> (after domain verification) AND acmestore@onlinestorenotifications.com<\/code> (Reply-To target, where replies route through). One consistent identity across both addresses; no more noreply@<\/code> in the customer-facing From.<\/li>\nactivateTenantSender<\/code> now overwrites any @onlinestorenotifications.com<\/code> sender_email when a tenant verifies their own domain \u2014 previously it only matched the legacy shared noreply@osn<\/code> value, leaving v1.1 per-tenant slug addresses stuck on OSN after domain verification.<\/li>\ndefault_from<\/code> on the Settings page still wins over the slug-based default.<\/li>\n<\/ul>\n\n1.1<\/h4>\n\n
<slug>@onlinestorenotifications.com<\/code>. The slug is derived from the site URL host (strips common subdomain noise like www.<\/code>, shop.<\/code>, sms.<\/code>) with a fallback to store-xxxxxx<\/code> for collisions.\n* New wizard step between OTP verification and plan selection lets the user accept the suggested inbox name or rename it inline with live availability checking.\n* When the tenant is on the shared sender, every wp_mail() now goes from <slug>@onlinestorenotifications.com<\/code> instead of the generic noreply@onlinestorenotifications.com<\/code>. Replies route directly to the tenant's inbox.\n* When the tenant has authenticated their own domain, From stays on their domain but a Reply-To: <slug>@onlinestorenotifications.com<\/code> header is injected so replies still arrive in the OSN inbox.\n* Free tier auto-forwards inbox mail to the tenant's contact email via a Postfix virtual-alias map backed by a MariaDB view. The view is regenerated every 60s by a host systemd timer; no manual sync needed when tenants onboard or rename.\n* New gateway endpoints: GET \/v1\/email\/mailbox<\/code> (read current inbox state), POST \/v1\/email\/mailbox\/check<\/code> (live slug validation without mutating), POST \/v1\/email\/mailbox\/rename<\/code> (atomic rename with UNIQUE-index protection).\n* A webmail_enabled<\/code> flag exists on tenants for the future paid tier; when flipped on, the alias destination changes from \"forward to contact_email\" to \"store in Maildir\" \u2014 Roundcube auto-login + IMAP provisioning will arrive in a follow-up release.<\/p>\n\n1.0<\/h4>\n\n
hidden<\/code> HTML attribute) was being forced visible by display: flex<\/code> in CSS, leaking a green \"verified\" banner onto the pending-records view. CSS now uses :not([hidden])<\/code> so the attribute wins.\n* activateTenantSender()<\/code> on the gateway now overwrites the shared-sender address when a tenant who previously opted into the shared path verifies their own domain. Previously the COALESCE<\/code> guard kept sender_email<\/code> pinned to noreply@onlinestorenotifications.com<\/code> forever, so verification succeeded but sends never moved over to the customer's domain.<\/p>\n\n0.5.0<\/h4>\n\n
\n
noreply@onlinestorenotifications.com<\/code> instead - DKIM + SPF + Return-Path are already configured for that domain on the gateway side, so mail arrives signed and aligned (cost: Gmail shows \"via onlinestorenotifications.com\" in the sender chrome).<\/li>\nPOST \/v1\/email\/domain\/skip<\/code> - sets tenants.sender_email<\/code> to the shared address so Transport's fromFor()<\/code> picks it up on every send.<\/li>\nfrom_email()<\/code> now short-circuits to the shared address when domain_status === 'shared'<\/code>, so the WP-side wp_casamail_sends<\/code> log reflects the actual From the recipient will see (no drift between plugin log and Postal envelope).<\/li>\nReply-To<\/code> header whenever the plugin rewrites the From, so customer replies still reach the original mailbox (caller-supplied From, or the tenant's contact email as fallback). Skipped when the caller already set Reply-To.<\/li>\n0.4.2<\/h4>\n\n
\n
support@sendemailtoday.io<\/code> to support@onlinestorenotifications.com<\/code>. The OSN mailbox already exists on the gateway's role-mailbox stack and is the same support address the onboarding OTP email body has always referenced.<\/li>\n<\/ul>\n\n0.4.1<\/h4>\n\n
\n
<script><\/code> block in show_onboarding_notice<\/code> with a separately-enqueued assets\/js\/notice-dismiss.js<\/code>, loaded only when the notice would render.<\/li>\nX-SET-Outbox: 1<\/code> shortcut relied on the host's PHP mail()<\/code> being functional, which most managed WordPress hosts disable.<\/li>\nset_gateway_get_dashboard<\/code> and set_gateway_get_logs<\/code> AJAX endpoints that were scaffolded for a polling feature never implemented.<\/li>\nwoocommerce<\/code> readme tag with deliverability<\/code> to sidestep the trademark concern when listing on WordPress.org.<\/li>\n<\/ul>\n\n0.4.0<\/h4>\n\n
\n
readme.txt<\/code> and WP.org submission compliance.<\/li>\nwp_add_privacy_policy_content()<\/code> registration for Settings -> Privacy.<\/li>\nwindow.prompt()<\/code> calls with an accessible in-page modal.<\/li>\nwp_localize_script<\/code> so the plugin is fully translatable.<\/li>\nload_plugin_textdomain<\/code> and ship translations for de_DE<\/code>, es_ES<\/code>, fr_FR<\/code>, it_IT<\/code>, ja<\/code>, nl_NL<\/code>, pl_PL<\/code>, pt_BR<\/code>.<\/li>\nwp_unschedule_event<\/code> with wp_clear_scheduled_hook<\/code> in deactivate to defend against duplicate-scheduled hooks.<\/li>\n$wpdb<\/code> queries with phpcs:ignore<\/code> comments + justifications.<\/li>\nstyle=\"\"<\/code> attributes with CSS classes (set-gw-notice-cta<\/code>, set-logs-section-heading<\/code>, set-danger-zone<\/code>, set-gw-modal<\/code>).<\/li>\n0.3.2<\/h4>\n\n
\n
Sent (24h)<\/code> stat card on the dashboard.<\/li>\n<\/ul>\n\n0.3.1<\/h4>\n\n
\n
systemd-resolved<\/code> and query DNS via dig @1.1.1.1<\/code> directly so a freshly-flipped Cloudflare proxy switch is reflected immediately.<\/li>\n<\/ul>\n\n0.3.0<\/h4>\n\n
\n
noreply@<verified-domain><\/code> when the WC-supplied From is outside the verified domain.<\/li>\nwp_casamail_sends<\/code> transmit-log table + Recent sends dashboard panel.<\/li>\n0.2.0<\/h4>\n\n
\n