If you are relying on an email notification to let you know someone filled out your contact form, you better be sure that notification arrives in your inbox and doesn’t get trapped in spam – or worse, never makes it to your email at all.
Because of spammers and scammers, email providers add blocks to keep all that spam out of your inbox. Without these blocks, email would be pretty worthless because we’d waste hours wading through emails from people in foreign lands offering us free gold.
Your website isn’t automatically verified to send email on your behalf
When you send an email from your website (contact form, sales, customer service, etc. notifications), that email does not originate from your domain’s email server. It is sent either from the web server where your site is hosted, or relayed through a third party email provider. You might host your email at Gmail, Outlook, Office 365, or a local email provider. Your email host would be configured to send email from an email on your domain, but not your web server (or by extension, your website).
All email must have a single from email address. That email address is checked to be sure it originated from a verified server, and was not spoofed to trick the recipient to click on an email from an unsuspecting friend. For example, I can send an email through the website and when composing the email, I can set the from email address to anyone I want. If used your best friend’s email address as the from address, you’d probably open it, and might be more likely to open any attachments that I embedded with malware.
How to fix this so you can send email from the webserver
So here’s the conundrum: you need to be notified when a new order comes through your website or someone submits your contact form. The best way to do that is to have the website automatically send you an email. We just need to be sure your web server is verified to send email on your behalf (i.e. from an email on your domain).
To do this, we can set up sender authentication (DNS records like DKIM and SPF) on your domain. These records tell email servers that emails with a from address on your domain can originate from your web server – or the email service your website is using. (Things are going to get a bit technical from here on.)
How these records are set up depends on where you host your site. I’ll break down what I’ve learned about sender authentication on three different web hosts.
WP Engine provides the following documentation on setting up DKIM and SPF records: DMARC: Get Your Email Into the Inbox. I love it when a host provides detailed documentation you can easily google and follow. WP Engine relays all emails sent through PHP Mail on the web server (WordPress default) through SendGrid or MailGun, and their documentation provides the correct SPF record to authenticate your domain as the sender (from email address).
Flywheel relays all emails sent through PHP Mail on the web server (WordPress default) through SendGrid. Their preferred method of verification is using SendGrid’s Sender Authentication, which signs each email sent with the correct domain (allows the receiving mail server to identify the email as legitimate and not spam), and properly labels the mail. You will need to ask support to set up Sender Authentication because it is set up per domain in SendGrid, and the CNAME records for each domain are unique. Support will send you three CNAME records to add to your DNS records. After you add the CNAME records, Flywheel support will ensure they are added correctly by validating the records through SendGrid.
I went round and round with SiteGround support and was finally told the following about validating emails sent through the web server: “As we are using cPanel for our shared hosting packages when emails are sent via PHP mail, we cannot use DKIM and SPF records. This is a limitation from cPanel and the workaround to improve email delivery would be to route your emails via SMTP [through a third party].” So if you host at SiteGround, you’ll need to route emails from the server through a third party like SendGrid, GMail, or MailGun, and then set domain records to validate the relay. You can use this plugin to relay the emails through one of these third parties: WP Mail SMTP. Note: this means you will have to create an account on one of these providers and maintain that account along with your hosting account. All have free plans if you aren’t sending a lot of emails through your website. Once you set up your website to relay emails through an outside email service, you’ll need to figure out the best way to authenticate that third party to send emails on your behalf. Each provider should have online documentation with instructions and best practices.
I don’t know for sure that all hosts using cPanel have the same limitation without a workaround as SiteGround does, but if your host uses cPanel, you should probably look into it.
Validating Emails Sent Through Your Website is Important – even if they are getting through without it
Email SPAM filters change. Email programs learn from your behavior and might start sending emails to the SPAM folder that they were previously letting through, or they might get through to some people but not others at your organization. It’s important to make sure emails sent through the website are verified.
Set One From Address on Your Domain
To that end, I want to add another important note. Once you have the correct domain records in place, you need to always set the FROM email address on your website email notifications to be an email on your domain. If you do all this work and set the from email address to the person’s email who submitted the form, you totally went around everything you just set up. SPF records validate that the email is sent from a computer that is approved for the domain. Which means the FROM email address has to be on your domain. If you want to be able to reply to your notification emails, most form plugins (definitely Gravity Forms) allow you to set the Reply to address as an email field in the form. Do that, but don’t set the FROM email address to anything other than an email address on the same domain as your website.
Don’t forget, if you send emails from MailChimp, you need to validate that those emails can be from an email on your domain also. The process is similar, although you have to verify everything is set correctly through your MailChimp account settings. See this article for instructions: Set Up Custom Domain Authentication: DKIM and SPF
How to tell if the verification working?
Once you have the DNS records in place, send yourself a test email from the website. To do this, you can add yourself to the email notification on a form. When the email arrives in your inbox, you’ll need to view the original email source code. In Gmail, open the email, click the three vertical dots in the upper right corner to open the menu, and select “Show Original”. This will open a bunch of code containing the email body in a new window. The top table has headings for SPF and DKIM with a pass or fail. If you don’t see SPF in the headings, search the email for SPF. The first result should tell you why the SPF check failed or passed. It might say something like:
domain of firstname.lastname@example.org designates [an IP address] as permitted sender
The above has been verified and passes SPF check.
[IP address] is neither permitted nor denied by best guess record for domain of youremail @website.com
This message means the message does not pass SPF check and you need to either fix your SPF record or add one.
Verification is worth the work
Figuring out the correct domain records depending on how emails are sent from the website is a pain and different depending on where you host. However, making sure those emails get to the right people is very important. If you can’t ensure the emails get through, you shouldn’t be sending emails through the website [period]. Websites are marketing tools and in many cases, the number one way people will interact with your business. Be sure you aren’t missing any important contacts by authenticating your website to send emails on your behalf.