Most WordPress websites rely on Contact Form 7 (over 1 million active installs) because it’s reliable and easy to use.
Lately, for a growing number of people, Contact Form 7 appears to function properly, but the form never actually delivers the email that it’s supposed to. The problem isn’t with the plugin, though. The problem is with how most people configure it.
I stumbled onto the problem a few months ago when a client called in a panic because they went from receiving several leads every day to zero. I tested their form, and on the front end, everything appeared to work properly, resulting in a success message and redirection to a thank you page. But the emails never appeared.
After a little bit of digging, I found that it was caused by how it’s configured to send emails.
Most people use the default settings, which would make the email generated by the form appear to have been sent directly from the person submitting it, making it easy to reply to them.
While allowed by many web hosts, this is a form of spoofing, which masks the true source of these emails. I don’t know what triggered the change, but suddenly, most web hosts stopped allowing this.
Predictably, a lot of people were pissed off, but their anger was incorrectly directed at the plugin’s author, Takayuki Miyoshi. It was web hosts’ policies that changed, not the plugin. The fact is, they shouldn’t have been pissed at anyone though, because email was never supposed to be sent this way in the first place. It was a pretty wide security hole that had to be patched.
If you log into your WordPress admin area, you might see the following message near the top:
If so, then your forms are configured incorrectly. Even if you are receiving emails now, there is no guarantee that it will continue.
The solution is simple. The email needs to be sent from an email address that exists on your server. I like to create a separate email address specifically for this. Next, configure your “From” field under the “Mail” tab of the appropriate form as such:
Finally, add the information below to the “Additional Headers” field. (Also under the “Mail” tab.) This adds information to the header of the email that says even though it was sent by [email protected], any replies should be directed to the email address that was entered in the “Email” filed of the form.