“From” vs “Reply-To” in Web Forms

Photo by Mathyas Kurmann via Unsplash

Just like with storing user input in a database, you should be wary of user input with your contact forms. When a user submits a form, the email that gets sent from your site should be from an email on your domain.

If you are using transactional (trigger-based) email on your domain (via Mandrill by Mailchimp, SendGrid, Mailgun, etc), you probably had to set up SPF and DKIM for sending from your domain. This verifies the domain for sending emails. But if your contact form has user input in the SMTP “From,” you’re doing it wrong. The From should be something like noreply@yourdomain.com and the Reply-To can be the user’s input.

With Mandrill specifically, those unverified domains will show in your Sending Domains list as unverified domains. (Before I realized we had forms using user input for “From,” it was driving me crazy to see Yahoo and Gmail show up in that list and to not have put them there.)

If you’re taking the steps to make sure you have verified sending domains, make sure you’re also being diligent in not using user input in your “From” fields.