Look at the headers of the email. Most likely it is appearing in your spam box because google thinks it’s not legitamate. Verify the headers to determine if it is real or not. If so, you have a big problem of someone gaining access to your site. If it’s fake, then no problem.
Gmail, Open email, More (next to reply button), Show original.
If you don’t now how to read it, compare it with a known legitamate email from wordfence or from your wordpress. You should be able to figure out what is going on. Every server adds on a header at the TOP. The first server is the last “Received” line, just above the FROM and TO. So you should see that your server generated it, and submitted it to the next server in the chain until it got to google.
For instance here are parts of an email from paypal to me @ gmail.
Delivered-To: *myemail*
Received: by 10.79.134.68 with SMTP id i65csp854885ivd;
Sun, 26 Jun 2016 18:52:18 -0700 (PDT)
Received: from mx0.slc.paypal.com (mx0.slc.paypal.com. [173.0.84.225])
by mx.google.com with ESMTPS id w64si23116634pfb.137.2016.06.26.18.52.18
for <*myemail*>
(version=TLS1 cipher=AES128-SHA bits=128/128);
Sun, 26 Jun 2016 18:52:18 -0700 (PDT)
Received: (qmail 4702 invoked by uid 993); 27 Jun 2016 01:52:17 -0000
This means paypal is running qmail. Their system generated the email and submitted it via qmail. Paypal’s MX server (173.0.84.225) connected to gmail’s mx server (mx.google.com) and submitted the email. That server sent it to an internal server at 10.79.134.68 which dropped it into my mailbox.
If it is legitmate, the email should be generated by your server, sent via your configured smtp server (before gmail), and should look the same as any other known legitamate email from your server.
Cory
