Best Practices When Setting Up Email For Your Website

Avoid looking like spam

Mail service providers have been fighting relentless mail abuses like spam and spoofing. Since anti-abuse techniques aren’t flawless, there is always a possibility of false-positives; even if you are not a real spammer, behaving like a spammer can increase the likelihood of being treated that way.

Let’s consider the following situation. In the “From” header field, you can use an email address that has absolutely no connection to the domain of the site on which the contact form is placed. For instance, you can use your @yahoo.com address in the From field even when your site isn’t on yahoo.com. Consequently, the receiver sees an email claiming to be “From” yahoo.com, which is actually from a completely different server.

As you can do this, so can spammers — and they do. Therefore, if you use a From email address that does not belong on the site domain, especially if you haven’t implemented an authentication method (described later), it is difficult for mail service providers to distinguish your legitimate mail from spam.

Bottom line: in the From field, use an email address that belongs to the same domain as the site.

Specify Reply-to Address

When you reply to an email, the reply is normally sent to the address specified in the From field of the original mail. What if you didn’t want to receive replies at the From address?

In such cases, specify the address you want the receiver to reply to in the “Reply-To” header field of the original mail.

Prepare a “real” email address

It is recommended you prepare a real info@{your-site-domain} address on your host. If you rely on a default address in the From field of your auto-responder when someone completes the contact form on your site, someone might try to send mail to this address. Some hosts also block outgoing mail from addresses that don’t exist.

WordPress for example, uses the wordpress@{your-site-domain} address in its notification mail, including comment notification and new user notification.

Utilize email authentication

Even if you set an email address belonging in the site domain in the From field, spammers can still send spoofed mail as if you sent it from your domain. As long as the possibility of email spoofing exists, the risk of mail service providers confusing your legitimate mail for spoofed mail remains.

To protect your mail from this risk, you can utilize email authentication methods including SPF and DKIM, which are supported by most major mail service providers. For detailed instructions about how to set up authentication methods, consult your provider’s support.

Make sure you have appropriate values in mail fields

Be careful when using values from optional form input fields. Are your mail header fields valid even when the values are empty?

Also, be careful not to make the message body empty or too short. It not only makes the mail look like spam, but it also makes mail sending function fail on some hosts.

TOP