Rapidweaver Contact Form Forging the FROM address?


(Andreas Belivanakis) #1

Here is what I received from my hosting company’s senior tech regarding problems I’ve had with mail delivery:

It looks like your FROM (name and email) are dynamic based on what the user on your website inputs, is this correct?

Doing it this way will cause the messages to bounce back, depending on DMARC/SPF and SMTP requirements. It will go through FROM some addresses, and bounce back FROM others. Which I think matches the description of your issue. The best solution is to have the FROM address set statically to something @ your domain name, like contact-form@estellaelafonisos.com (or info@ etc.) this will guarantee the message to be delivered.

What you have configured currently is calling “forging the from address” which is not supported in most cases. Its a common practice of spammers so most SMTP servers on the internet forcibly bounce anything with forged information.

You can read more about it at the below links, and why its disabled or discouraged.
http://www.howtogeek.com/121532/htg-explains-how-scammers-forge-email-addresses-and-how-you-can-tell/
http://security.stackexchange.com/questions/30732/why-is-it-even-possible-to-forge-sender-header-in-e-mail

What’s really going on with Rapidweaver’s contact form? Is it really forging the from address?


(NeilUK) #2

I think the solution is to select “Send email using your email address” in the Advanced option in page inspector.

I had this issue; using this setting worked.


(Andreas Belivanakis) #3

Thank you, Neil. I’m afraid this method is going to cause even more problems.

I just tried the form with that advanced feature enabled, and sent a test message to myself. Look at the disaster that followed (attached).

The only reason it was not sent to the SPAM folder was because of a filter I created. And Google could not verify I was not a spammer!

In any case, my question still remains: Does the Rapidweaver contact form forge the FROM address?


(NeilUK) #4

If you send it from an email address using the same domain as your website, it will probably work.

Yahoo, Google etc. don’t like sending emails from website contact forms.

I’ve had this issue crop over many years on WP and RW. The issue has always been solved (for me) by using the website’s domain in the email address that’s sending the email from contact forms.


(Andreas Belivanakis) #5

How’s that even possible?

Perhaps I’ve misunderstood you, but I believe this is impossible to do with Rapidweaver’s Contact form. The FROM and EMAIL address fields are dynamic, depending on user input. No end-user is going to enter an email address that corresponds to the website’s domain. They all use their own email addresses, i.e., yahoo, hotmail, gmail, etc.

Does this user input (which looks perfectly legitimate to me, BTW) amount to forging?


(Adam Shiver) #6

Hi there @andreasfmpro!

Some hosts require that the email from the form is sent by an email address from your domain name.

For instance let’s say I have a website with the domain mywebsite.com and my email address is bob@mywebsite.com. I would enable the "Send email using your email addressfeature and populate the send to field withbob@mywebsite.com. This would satiate the host and send the email frombob@mywebsite.com`.

The cool thing though is the Reply-To email address would still be that of the visitor to the site who filled out the form. This way when you wish to reply to the email sent by the form you will be replying to the visitor that submitted the form on your site.

Nothing is being forged. It is just that some hosts prefer things to be done this way for their own security measures. Other hosts do not require this. It varies from host to host, and that is why this feature is a part of the Contact Form.


(NeilUK) #7

The problem arises when you set the “from” email address. If you use a Gmail address as the “from” address, the content form will try to send the email from the Gmail address. The problem is that the email isn’t being sent from Gmail, it’s being sent from your server, which isn’t a Gmail server. So Gmail and Yahoo mark these emails as spam and don’t deliver them.

So, as Adam says, the email needs to originate from the same domain it’s really being sent from. I’m not sure what you should set the “to” address as. I suppose you could try using the same as the “from” address.


(Andreas Belivanakis) #8

I hear you, Adam, but my hosting company claims that my contact forms forge
the from and email address fields. That’s how they explain the horrendous
problems my clients have been having with email from their website contact
forms getting misdirected.


(Andreas Belivanakis) #9

Neil,

The FROM field in Rapidweaver is the TO field, apparently. However, when
the form is sent, it arrives to my client specifying the FROM field as the
end user’s address. In that light, the FROM field is always populated
dynamically by the end user. As the form designer, I have no control over
it.

The TO address can be the website owner’s (my client’s) email, so that I do
control. This field is probably the FROM field in Rapidweaver’s Contact
Form’s Settings.Confusing.


(Adam Shiver) #10

You may want to check with your host again as I suspect they’re using harsh wording that has you a bit more worried than they should. Change your form as @NeilUK, and others have suggested, using your email address that matches your site’s domain name, then republish and then check with your host to see if that is what they’re looking for.


(Andreas Belivanakis) #11

Yes, Adam, this is what I am planning on doing. Thanks.