In this guide, we will be covering best practices for general inquiry forms (contact us type forms for example).
Don’t advertise email addresses on website
Having your email address readably available on your website can cause issues with spam. The reason for this is due to scripts being developed that scrape all websites on the internet looking for specific patterns in the form of email addresses.
If a bot detects an email address within your website, then it can take that email and add it to a different mailing list, or do with it whatever the program the individual that created the script designed the program to do with different addresses.
For example, some bots will categorize email addresses automatically according to the type of website it believes it is crawling. It will then take the information it finds and sells this information to different groups, businesses, etc… that are looking for lead generation.
Instead:
Instead of broadcasting your email on your website we recommend making a simple form that allows the user to fill out their name and any other information needed for the inquiry. This form ideally should send an email both FROM and TO the administrator for the website or whoever handles the form submissions on your website.
Don’t set the visitor as the FROM, TO, or Fail-To address
In your contact form you will be setting important information for the email such as the FROM address, TO address, subject, etc…
It is a very bad practice to set the FROM, TO, or Fail-To address in these forms as the address the visitor submits during the form completion. Instead, it is recommended and best practice to set these addresses as an address provided within your website.
Example Scenario
An example would be passing the form variables that the visitor submitted in EITHER of the mail attributes that control the from, to, or fail-to addresses.
In the below example we’re passing through the form email variable to all three… which is definitely going to result in some issues. This may work for some emails, but anyone that fills out the form with valid SPF and/or DMARC rules is going to result in a failure.
ColdFusion Bad Practice Example
<cfmail from="#form.emailaddress#" to="#form.emailaddress" fail-to="#form.emailaddress#">
</cfmail>
PHP Bad Practice Example
<?php
$to = $_POST['email'];
$subject = "Example Email";
$body = "Example Body Content.";
$headers = "From:" . $_POST['email'] . "\r\n" .
"CC: [email protected]";
mail($to,$subject,$body,$headers);
?>
Instead:
Your form submissions should be sent to and moderated by someone within your organization/business. Therefore the FROM, TO, and FAIL-TO address should all be addresses within your website and not be reliant on the customer email address field in the form.
Never have a form without a CAPTCHA
Every form on your website should have a captcha. Otherwise, the form is subject to abuse by spammers and attackers.
Every day we see forms getting exploited by attackers and sending out spam. These include contact forms, registration forms, comment forms for blogs, mailing list signup forms, or anything else that acts as a form submission on websites. This can result in hundreds of thousands of spam emails being sent from the server which can hurt the servers IP reputation. If the reputation of the server takes a hit, then so will the delivery of email from any website on that server.
We’ve seen registration forms being abused and users having to clean up their database as a result of hundreds of thousands of new users being created within a short time period.
Another popular type of form that gets abused is mailing list sign-ups. Spammers target these types of forms heavily as they look to add random addresses to the mailing list including honeypot addresses (addresses that act as a spam trap, as if they receive email from an IP then it’s obviously spam since nobody should be sending email to their spam trap address).
A popular captcha being used on websites around the world is Google reCaptcha.