If you’ve set up a contact form on your WordPress website, you may have encountered an issue where emails land in the spam folder – or worse, aren’t delivered at all. This can be frustrating and could even cost your business potential leads. In this post, we’ll walk through the reasons why this can happen and how to fix it, covering everything from authentication to using the right mailer system.
Summary
– Use an SMTP mailer instead of a PHP mailer
– Make sure your domain’s SPF records are set properly
– Don’t send contact form submissions to clients, where possible
– Install a CAPTCHA on all website contact forms
When setting up a contact form on your WordPress site, the simplest approach is to use a WordPress PHP mailer to send emails.
Most of the time, this message goes through without issue. However, sometimes the mail delivery is stopped by a spam filter along the way, and you don’t receive your contact form mail.
What causes this?
If your email account and your website are on the same server, then the email delivery happens locally. In this case, the email does not go through an outbound/inbound spam filter, so there’s no chance of it being filtered or blocked.
However, if your email is hosted with a third-party provider like GSuite or Office 365, the email must pass through several spam filters before reaching your inbox. First, it goes through your server’s outbound filter, then to the receiving provider’s (e.g., Gmail or Outlook) incoming filter, where it may be flagged as spam.
PHP vs SMTP mailer
Sending via a PHP mailer is an outdated form of email sending. It can work, but needs to be configured properly with valid email headers and other information that you don’t need to worry about when sending from a valid email address.
SMTP (Simple Mail Transfer Protocol) is a more reliable and secure method for sending emails, as it ensures that the server you’re sending from is authenticated, reducing the likelihood of your emails being flagged as spam. We’d recommend using an SMTP mailer wherever possible, which means your email contact form will actually log into an email address and send from there. This handles email headers and validation for you, and is much simpler to troubleshoot.
Now, let’s walk through how to set up an SMTP mailer to send emails reliably from your contact form.
Setting up an SMTP mailer
Most WordPress plugins offer the option of sending via PHP or SMTP mailer, with PHP being the default setting. To use an SMTP mailer, simply add the following details. Feel free to reach out to us or your email hosting provider if you need assistance with this.
Many SMTP mailers (including WP Mail SMTP) will provide you the following options:
SMTP / Server Hostname: Either your server name or another website that resolves to the same server. If you’re unsure, a good rule of thumb is to use your MX record. Enter your domain name into this tool to find yours.
https://www.whatsmydns.net/#MX/
SMTP Port: 465 (with SSL/TLS enabled) or 587 otherwise. If this doesn’t work you could also try 25, as some servers still use this port.
Username: Your full email address, e.g. ‘john@example.com’.
Password: The email account’s password. If your emails are on cPanel, you can follow this link to reset your password.
Don’t send contact form ‘confirmation’ emails to clients
Many people send out a ‘copy’ of the message to the client who entered the contact form, for their own reference. This is convenient but should be done with caution, because without the proper authentication in place this can be easily abused by spammers.
For some setups, a spammer could essentially use your contact form to send spam to whoever they want by putting the target’s name in the ‘from’ field, and the message they want to send in the message field. You’ll be spammed with these messages, and those email addresses will also get spam that says it comes from you.
This abuse will also mean that your domain will be more likely to be placed on email blacklists, making it harder for you to reach your legitimate clients in future.
Use a CAPTCHA
Adding some sort of human verification to all your website forms is the best and most straightforward thing you can do to reduce spam. There are many WordPress plugins that will do this for you, like Google’s reCAPTCHA.
Even if your contact forms are abused, this is not as big an issue if your website and email are on the same server. You’ll get a lot of spam, but the reputation of your domain won’t be affected.
However, if your website sends mail to an external system like GSuite / Office 365, the contents of the contact form messages will be scanned by automatic spam filters along the way. If spammers are abusing your contact forms to send spam, then these filters will be more likely to mark your domain as abusive and block future emails from you.
Other PHP Mailer tips
If your heart is set on using a PHP mailer, that’s OK – this can work just as well. However, there are a few extra pitfalls you’ll need to be aware of. The following section is more technical and aimed at those familiar with PHP mailer setups.
Don’t set the client’s email as the Reply-To address
The most common way to set up PHP mail is by specifying the client’s email address in the ‘reply-to’ field. The thinking is that when you receive this email notifying you of a contact form submission, you can simply hit ‘reply’ and respond to the client instead of forwarding the message.
This is fine if your website is on the same server as your email hosting, but often runs into issues when your mail is external. If any mail system receives an email which has different emails for the ‘From address’ and ‘Reply-To address’, it’s automatically more likely to mark the email as suspicious.
It’s also more suspicious-looking if the email’s From Address doesn’t match the Sender ID. PHP mailers are identified as coming from the cPanel username, meaning the Sender ID will be listed as ‘cPanel-username@servername.com’ instead of the actual email address. This means your server hostname also needs correct email authentication, which brings us to SPF.
DNS-based Authentication (SPF)
When sending any mail (normal emails or those generated by a contact form), the email needs to be validated to make sure that the sender has the authority to send the message. This prevents anyone sending mail pretending to be from you. There are a few different things that are required, and if you’re sending via a contact form, the server that the contact form is on ALSO has to be allowed to send mail from you.
SPF is a tool that lists the IP addresses that are allowed to send mail from a particular domain. Usually this is managed by your email service provider, but if you have an external email provider and want to send mail from our server, you’d need to add CloudLoop’s SPF record:
https://portal.cloudloop.com.au/knowledgebase.php?id=17-what-is-cloudloops-spf-record