It is common for websites to have some communication form, often for marketing or sales purposes. Other times, it is as simple as having a "contact us" form to avoid publishing an email address to the public.
Web forms can be custom developed, or more commonly today, added as a pre-built option into WordPress or WP Engine websites. Regardless of how the web form is added to a website, there are best practices to follow for ensuring consistent and predictable deliverability of the emails generated by the web form.
If you are a web developer or IT professional helping someone with their web form emails getting filtered out, consider these best practices. Please do not recommend that email security be turned off or add something to a whitelist. The fact is, email is the most common entry point for malicious threats to a network and security. Creating a properly formed email is worth the effort.
web forms, WordPress, WP Engine, web hosting, SPF, relay, smarthost
A few concepts are critical to understanding how to implement a web form to send a properly constructed email that will not get marked as spam. The most important ones are:
- Sender vs. From addresses in an email envelope
- Sending source of the email (also known as the relay or smarthost)
- SPF (Sender Policy Framework) validation
Sender vs. From Addresses
The Sender address, in the green box, is the "actual sender" of the email. This email address contains the domain which email security systems will use to validate the SPF record. We'll talk about that a little more later. Sender addresses are typically not seen in email clients, whether using Outlook, Gmail's web interface, smartphone, or tablet.
These Sender addresses are sometimes used by applications to track email activity. Think open rates, link clicks, and other metrics that tools like newsletters, CRMs, and line of business apps collect. The Sender's address should be "real" because it is the person or app that created the message.
The From address is the one that shows up in email clients. This is the address that can be made to look like anything and include a display name. In the image above, the From address is in the blue box.
A display name is included, helping the recipient see a more familiar name. The email address that is part of the From address happens to match the Sender address. That's not always the case. When the Sender and From email addresses do not match, this is a form of spoofing. But spoofing is a tactic, not a bad thing. Spoofing is a bad thing when spammers abuse the functionality.
To summarize this:
- Sender address --> the person or app that is sending the email and used for SPF validation
- From address --> the name and email address that will show up in the email client
- Sender and From addresses can match but don't have to
Sending Source - aka Email Relay or Smarthost
Implementing a web form requires the configuration of an SMTP server to send the email out. The SMTP server can be one of several options:
- Web hosting provider's SMTP service
- A domain's existing email service as a relay or smarthost
- Microsoft 365, Google Workspace, an email security service such as Mailprotector
- A third-party relay or smarthost (best option in most cases)
Regardless of the SMTP service used, the email sent will come from a server and IP address associated with the SMTP server. This sending source is used when SPF validation occurs and can differentiate between a deliverable email and one that ends up in a spam folder.
Each SMTP service should provide information about the IP addresses emails get sent from. If not, that's a major clue that it shouldn't be used for sending out emails on behalf of your web form.
Third-party relay services provide the easiest to implement options, usually with credentials to connect securely and plenty of great documentation on working with web forms or WordPress websites.
We've established the Sender address's importance and that emails generated by a web form will be sent from an SMTP server. The Sender Policy Framework (SPF) uses those two critical pieces of information to validate if the email is coming from a server or service authorized to send on behalf of that Sender address's domain.
Let's go back to the image above and use that to walk through this process.
Keep in mind; Mark G. does not have a "Basecamp" email address. The form that created this email generated the Sender and From addresses in this way to make sure the email to Josh had the best chance of being delivered to Josh's inbox.
- The Sender address is firstname.lastname@example.org
- The domain that will be used to check SPF is 3.basecamp.com
- The SPF record for 3.basecamp.com says to use all IP addresses that
- The IP address this email came from is 18.104.22.168 (found in detailed email logs not shown here)
- The IP address is included in the domain's SPF record as
- The IP address is included in the domain's SPF record as
- Therefore, the Sender address's domain is authorized to send the email from that IP address
Notice, none of the bullets talks about the From address.
The important takeaway is that the Sender address must be one that is authorized to use the SMTP service on behalf of that Sender address's domain. Then, you can make the From address look any way you want.
In fact, here is an example we see often:
- Sales lead web form example
- The Sender address is from the web form owner's domain (email@example.com)
- The From address becomes the person that filled out the webform (firstname.lastname@example.org)
- The Sender and From addresses are completely different
- The sales team receives an email that comes from their own domain but looks like it is the person who filled out the form
Sending emails from a web form can be an important way for companies to communicate or receive information from their customers and prospects. It is important to build that interaction in a way that respects email security standards and best practices. If you're struggling with getting emails from a web form to deliver where they are supposed to, reach out to the support of the Sending Source if possible.
There are more nuances to successful email deliverability, but if you understand these critical concepts you should be well on your way to implementing email-generating web forms with ease.