Think about it: you could send an email on behalf of anyone using your contact form if it arrives “From” the visitor’s email address. That must not be right. To properly set up a contact form, I propose the following best practice for excellent deliverability. Take a look at the three most crucial email headers:
- From: Use something like firstname.lastname@example.org, which is the default sender address of transactional emails on your site, such as password recovery and automatic update notifications. It should end with your domain*, what you put before the @ doesn’t matter. Do not use any existing address.
- Reply-to: The visitor’s email address goes into this header. It’s the only way we set up contact forms, ever since I discovered we were doing this all wrong.
- To: Wherever you wish to collect contact form emails, like email@example.com or similar, professional-looking address. Your new pen pals will only see it once you reply.
* Why include your domain in the From address?
I don’t know about your email setup, but we use Mailgun and Amazon SES for our email sending/receiving needs. These services only allow email sent through their SMTP servers if the From address uses a verified domain in their system. It’s not a coincidence that the address for WordPress transactional emails is also this way. The email server of your cPanel host or similar service likely has the appropriate restrictions.
If you are using Gmail, this quirk also applies to you:
If the “From” address is either the same as the “To” address, or is configured in Gmail Settings as one of the ‘Send As…’ accounts, Gmail replies to the “To” address instead of the “Reply-To” address. An easy workaround is to specify a non-Gmail “From” address.
Everything points back to my original recommendation.
What’s wrong with From header being the visitor’s email?
It means you are sending an email on behalf of the visitor. What if you set up a contact form that goes to a visitor’s friend? It’s that easy to fake an email and prank people. Subsequently, most servers now verify if the sender has the right to use that email address. When the checks fail, the server identifies the mail as spam, based on a “forged sender address”. This hurts deliverability. The visitor’s name can still appear in the From, but not their address!
Don’t worry, as long as you have Reply-to as the visitor’s email, you can hit the reply button in Gmail or any other platform, and it’ll work as expected. Nothing needs to change in how you handle contact form emails. You won’t be sending emails to the imaginary address of your WordPress installation either. To better illustrate my point, take a look at the following examples.
Contact Form 7 example
For for the sake of completeness, these are the form’s inputs:
[text* your-name placeholder "Your Name"] [email* your-email placeholder "Your Email"] [textarea* your-message placeholder "Your Message"]
And this is how to use these fields:
The line we wrote in the Additional Headers may be missing from the default setup, causing misconfiguration, so here it is:
Reply-to: [your-name] <[your-email]>
Elementor contact form example
Elementor’s setup is easier than Contact Form 7, but it’s also less flexible. Why? Notice that in addition to the predefined From email, the subject is also fixed. I’m happy they included a Reply-To option, though: