Rapidweaver Contact Form Forging the FROM address?

Here is what I received from my hosting company’s senior tech regarding problems I’ve had with mail delivery:

It looks like your FROM (name and email) are dynamic based on what the user on your website inputs, is this correct?

Doing it this way will cause the messages to bounce back, depending on DMARC/SPF and SMTP requirements. It will go through FROM some addresses, and bounce back FROM others. Which I think matches the description of your issue. The best solution is to have the FROM address set statically to something @ your domain name, like contact-form@estellaelafonisos.com (or info@ etc.) this will guarantee the message to be delivered.

What you have configured currently is calling “forging the from address” which is not supported in most cases. Its a common practice of spammers so most SMTP servers on the internet forcibly bounce anything with forged information.

You can read more about it at the below links, and why its disabled or discouraged.
email - Why is it even possible to forge sender header in e-mail? - Information Security Stack Exchange

What’s really going on with Rapidweaver’s contact form? Is it really forging the from address?

I think the solution is to select “Send email using your email address” in the Advanced option in page inspector.

I had this issue; using this setting worked.

Thank you, Neil. I’m afraid this method is going to cause even more problems.

I just tried the form with that advanced feature enabled, and sent a test message to myself. Look at the disaster that followed (attached).

The only reason it was not sent to the SPAM folder was because of a filter I created. And Google could not verify I was not a spammer!

In any case, my question still remains: Does the Rapidweaver contact form forge the FROM address?

If you send it from an email address using the same domain as your website, it will probably work.

Yahoo, Google etc. don’t like sending emails from website contact forms.

I’ve had this issue crop over many years on WP and RW. The issue has always been solved (for me) by using the website’s domain in the email address that’s sending the email from contact forms.

1 Like

How’s that even possible?

Perhaps I’ve misunderstood you, but I believe this is impossible to do with Rapidweaver’s Contact form. The FROM and EMAIL address fields are dynamic, depending on user input. No end-user is going to enter an email address that corresponds to the website’s domain. They all use their own email addresses, i.e., yahoo, hotmail, gmail, etc.

Does this user input (which looks perfectly legitimate to me, BTW) amount to forging?

Hi there @andreasfmpro!

Some hosts require that the email from the form is sent by an email address from your domain name.

For instance let’s say I have a website with the domain mywebsite.com and my email address is bob@mywebsite.com. I would enable the "Send email using your email addressfeature and populate the send to field withbob@mywebsite.com. This would satiate the host and send the email frombob@mywebsite.com`.

The cool thing though is the Reply-To email address would still be that of the visitor to the site who filled out the form. This way when you wish to reply to the email sent by the form you will be replying to the visitor that submitted the form on your site.

Nothing is being forged. It is just that some hosts prefer things to be done this way for their own security measures. Other hosts do not require this. It varies from host to host, and that is why this feature is a part of the Contact Form.


The problem arises when you set the “from” email address. If you use a Gmail address as the “from” address, the content form will try to send the email from the Gmail address. The problem is that the email isn’t being sent from Gmail, it’s being sent from your server, which isn’t a Gmail server. So Gmail and Yahoo mark these emails as spam and don’t deliver them.

So, as Adam says, the email needs to originate from the same domain it’s really being sent from. I’m not sure what you should set the “to” address as. I suppose you could try using the same as the “from” address.

1 Like

I hear you, Adam, but my hosting company claims that my contact forms forge
the from and email address fields. That’s how they explain the horrendous
problems my clients have been having with email from their website contact
forms getting misdirected.


The FROM field in Rapidweaver is the TO field, apparently. However, when
the form is sent, it arrives to my client specifying the FROM field as the
end user’s address. In that light, the FROM field is always populated
dynamically by the end user. As the form designer, I have no control over

The TO address can be the website owner’s (my client’s) email, so that I do
control. This field is probably the FROM field in Rapidweaver’s Contact
Form’s Settings.Confusing.

You may want to check with your host again as I suspect they’re using harsh wording that has you a bit more worried than they should. Change your form as @NeilUK, and others have suggested, using your email address that matches your site’s domain name, then republish and then check with your host to see if that is what they’re looking for.

1 Like

Yes, Adam, this is what I am planning on doing. Thanks.

Sorry this is dragging up an old thread but it is exactly what I am facing with all my contact forms.
I have been using Form Pro @Elixir and @Doobox contact form without a problem. But recently they have all seemed to stop working or become very flakey!!
Many conversations with greg at Chillidog and he said the ‘FROM’ field was being forged!! So mail is either not being delivered or goes into spam. Email addresses that the form should be sent to are Gmail and Hotmail…
So did we ever find a solution…are there any contact forms that do not fill in the FROM field. (To be honest I don’t really understand quite what it all means)
Any recent advice would be grateful…

If you’re using Gmail and Hotmail email addresses, you’ll always run the risk of mail not being sent in the long run. Most hosts block emails that are not sent from an email address that is not matched to your domain.

You might find a short-term solution, but as I said, it’s a risk. Why not create an email using the same domain and just forward it to the Gmail and Hotmail accounts?

Thanks Neil…
I suggested this to Greg…his reply was “Also forwarding email is VERY bad and will hurt your domain reputation because it forwards real email and spam.”!!! So think that’s a ‘no’…then
The other solution I am looking at is using Doobox’s new stack Mailto…then don’t use the server at all???
Bit of a pain really!!!

I didn’t know that, but it’s good to know for the future. The Mailto stack sounds like a good option in your case.

OK, so we just pushed out an update to our HTML Contact stack, which may help you.

We added an advanced option (checkbox) “Compatibility Mode”.
This is checked by default to continue using the old default behaviour without any action required by current happy users.

If for any reason you find you are not receiving email from your form, after the form appears to successfully submit, then try unchecking the “Compatibility Mode” option.

What is this doing?
By default we have always cheated the emails from header entry, and used the email that the form owner enters as the from header.
Because a vast number of host out there will not allow PHP to send mail from an email address other than one that is tied to the domain the form exists on.
If your site is www.yourdomain.co
anything@yourdomain.co is good
anything@anotherdomain.co is no good
So you can see why using the form fillers email address as the from address as you’d expect will fail (very) often.

So what if the new “Compatibility Mode” option is unchecked?
Now unchecking the new option will use the form fillers email address as the from header in the email, so it will not be seen as spam by some email hosts because of a cheated from address. With the obvious civet that if you have one of the hosts that blocks emails being sent from an address other than one tied to the domain then it won’t work either.



Thanks @Doobox for that…will give it a go today…if it also continues to be a problem then I will purchase your Mailto stack, as that will bypass the server altogether??

1 Like

Hi @Doobox still doesn’t seem to work…the mails are sent but end up in my spam folder with the message " Be careful with this message

Gmail could not verify that it actually came from ntlworld.com. Avoid clicking links, downloading attachments or replying with personal information. "

That’s what has always been the problem. This is with compatibility mode unchecked…and checked!!

This is down to Gmail implementing SPF of late, and not all hosts being on the ball with it:

We were c considering adding a 5th parameter to the php mail function, which changes the email envelope address (to that of the form owner, as opposed to the host in some cases), but with almost all shared servers running in safe mode, this 5th parameter would be ignored (and generate an error), and it does not work on windows servers at all.

I am using Chillidog Hosting, so reckon Greg should be ‘on the ball’!!

I am just filling in the contact form which asks for my email address (obviously)…that is the ntlworld.com (my email) bit - Greg said the forms are automatically filling in the 'FROM" field and this is causing the error…
so really dont know what to do except go to using your Mailto stack which bypasses the server altogether and uses the enquirer’s own email to send…